Akana API Platform Release Notes 2020.2.0

 

Date November 11, 2022

Version 2020.2.18

Document updated on: 2023-02-01 09:25, Pacific Standard Time

Akana 2020.2.x System Requirements

Upgrading Akana API Platform to Version 2020.1.x or 2020.2

 

Create indexes for MongoDB before upgrading

It's recommended to create indexes before upgrading to 2020.2.x, if you are using MongoDB. For detail, see Create indexes for MongoDB before upgrading.

UI customizations

If you have UI customizations, rebuild styles after upgrade (Admin > Customization > Rebuild Styles), then test your customizations.

Default Theme is removed with 2020.2.0

Default Theme has been removed and is no longer supported in 2020.2.0.

Post-GA Updates

Date/release version

Changes

July 13, 2021
2020.2.7
"UI customizations" note in box above has been expanded regarding the need to rebuild styles after upgrade.
July 28, 2021
2020.2.9
Added note in box above, "Create indexes before upgrading and a new entry under 2020.2.0 to create indexes.
August 19, 2021
2020.2.3
Added release note entry under 2020.2.3, "Real-time charts could fail to populate a start and end date time when viewing data"
August 19, 2021
2020.2.2
Added release note entry under 2020.2.2, "The API Details page could display invalid characters in the schema for the request body"
August 19, 2021
2020.2.0
Added release note entry under 2020.2.0, "Community Manager required fields did not display an asterisk"
September 13, 2021
2020.2.11
Edited note in above box to clarify that index creation is for MongoDB, "Create indexes for MongoDB before upgrading and edited the entry under 2020.2.0 to Create indexes for MongoDB before upgrading.
May 6, 2022
2020.2.16
Added a new entry to 2020.2.16, "Elasticsearch 7.16.2 now supported" and added a note to "Apache Log4j upgraded to Log4j" 2 that Log4j 2 requires Elasticsearch 7.16.2.
November 11, 2022
2020.2.18
Updated the entry "Improved response times for some platform APIs" to clarify the change.
Feb.1, 2023
2020.2.18
Removed all enhancements entries regarding the previous major version 2020.1.x to avoid duplication and simplify these notes. These enhancements are still listed in the 2020.1.x release notes.

 

Version 2020.2.18

November 11, 2022

Enhancements: 2020.2.18

SAML Web SSO is now supported on Hardware Security Module (HSM)

Policy Manager has added Hardware Security Module (HSM) support for the SAML Web SSO Domain setup.

Support ticket: SUPPORT-42350, SUPPORT-50455

The OpenID Connect configuration now displays more provider properties

The discovery URL/well-known configuration URL for OIDC now displays the id token signing algorithm, the id token encryption algorithm and the id token content encryption algorithm, based on the user's selection. Prior to this change, the well-known configuration displayed just the default list of algorithms.

Support ticket: SUPPORT-22663

New variable in automation recipe properties file controls the tenant protocol

A new property TENANT_SCHEME can be included in the pm-cm-all.properties file for the cm-tenant.json recipe to assign a protocol. HTTP is the default if not set. To change it to HTTPS, for instance, include the following in the properties file:

TENANT_SCHEME=https

Support ticket: No related support tickets.

MongoDB recovery job logic enhanced, with new recommended index

When a MongoDB recovery job failed, it could continue to trigger further rollup jobs, ending up in a perpetual fail state. You can now disable the recovery job to avoid this condition. In the Admin Console, under the configuration com.soa.persistence.mongodb, set persistence.mongodb.rollup.skipRecoveryIteration = -1 to disable the recovery job.

In addition, a new index is recommended to optimize the query while performing recovery jobs:

use METRIC_ROLLUP_DATA
db.<dataset_name>.createIndex(
  {"value._rolluptype": 1, "value.rawIds": 1},
  {name: "<dataset_name>RecoveryIDX"}
)

Support ticket: No related support tickets.

Default promotion timeout increased

When promoting an API between Community Manager instances via Lifecycle Coordinator, the default timeout has been increased from 2 minutes to 5 minutes.

Support ticket: No related support tickets.

Elasticsearch now defaults to enabling TCP keepalives

To avoid timing out HTTP connections between search requests, Elasticsearch now defaults to enabling TCP keepalives. Note that this just enables the Elasticsearch client to use the keep-alive functionality. You may still need to modify your server sysctl settings, as described in the Elasticsearch issue "Enable TCP keepalives by default in Java REST clients #65213."

Support ticket: SUPPORT-48512

Bug Fixes: 2020.2.18

When parameter markers exceed 2,000, jTDS driver fails to process a query

The jTDS driver for Microsoft SQL Server doesn't process a query when the parameter count is more than 2,000. This is a limitation of the driver itself and may also be true of other database drivers.

Support ticket: SUPPORT-43866

Improved response times for some platform APIs

Optimization has improved the response times for the following platform APIs: login, app, API, and contract requests.

Support ticket: SUPPORT-50212, SUPPORT-50210

Response time improved for some REST API requests

A regression in 2020.2.16 could cause increased latency for some REST API requests. This has been corrected.

Support ticket: SUPPORT-50210

Oracle replication could fail due to production errors

If APIs or apps were deleted and the Oracle table UDDI_SERVICE did not have the DELETE CASCADE constraint set, the records in the child table UDDI_INST_DETAILS were not deleted, resulting in inconsistent behavior. Now, the DELETE CASCADE constraint has been added to the UDDI_INST_DETAILS table.

Support ticket: SUPPORT-50188

Authentication error message incorrect in certain scenarios

If a mandatory parameter was not sent with the request when using the OAuth provider and HTTP Form-Based Authentication, a 400 Bad Request error was returned with an invalid_client error code. Now the returned error code has been changed to invalid_request error, which is more accurate.

Support ticket: SUPPORT-50092

Validation did not occur when XSS keywords had spaces

For XSS keywords in Community Manager, validation for an API, app, or group name did not occur if spaces were present between the XSS keyword and the operator. Now, validation recognizes the use of spaces and proceeds as normal.

Support ticket: No related support tickets.

Calls to APIs using the SPNEGO policy could fail

When using the SPNEGO Operational policy with the Kerberos Authentication policy, the service could not successfully get the Kerberos ticket (TGT) due to cache-refresh issues. This subsequently caused the API call to fail. The Kerberos ticket is now refreshed and cached after its expiration.

Support ticket: SUPPORT-46684

Some updates and imports were not updating the container

Various updates and imports were not updating the Network Director container, including the import of a new API, attaching new policies to APIs, or modifying the target endpoint. Now, these changes are reflected in Network Director without the need to restart the container.

Support ticket: No related support tickets.

Outdated Javascript library security vulnerabilities

The Javascript libraries with security vulnerabilities have been upgraded, as follows:

  • jQuery 3.6.1
  • Handlebars 4.7.7
  • momentjs 2.29.4

Support ticket: SUPPORT-31089

New API or app did not display version correctly in Policy Manager

After creating a new API or app in Community Manager, its initial version for the "Design entity" did not properly display in Policy Manager.

Support ticket: SUPPORT-2223

Custom Bonita theme did not load after deleting the original theme

A custom theme created by cloning the Bonita theme did not load if the Bonita theme was subsequently deleted.

Support ticket: No related support tickets.

Invoking the Ping service could return an error

An error is no longer returned after invoking the Akana Ping Support feature on either a Policy Manager or Community Manager container.

Support ticket: No related support tickets.

API name change in Community Manager not reflected in Policy Manager

When renaming an API in Community Manager, the name change on the physical, virtual, and design entities representing the API in Policy Manager may not have updated.

Support ticket: SUPPORT-2223, SUPPORT-29662, SUPPORT-1213, SUPPORT-42250, SUPPORT-44813

Error message updated when client_id is missing from the token request

The Akana OAuth Provider token endpoint returned an HTTP "401 Unauthorized" error when the client_id value was missing from the token request. The error message has been corrected and is now an HTTP "400 Bad Request" error.

Support ticket: SUPPORT-50092

New API could not be viewed in API Designer

In Community Manager, a new API created with a YAML file was not properly displayed in the API Design and API Documentation pages.

Support ticket: No related support tickets.

Updated user details were not fully reflected for OpenID Connect domain

If existing users in an OIDC domain changed their details, those changes were not fully reflected in the database.

Support ticket: SUPPORT-42390

Errors could be returned from OAuth external provider when data was chunked

In some cases, calls to an OAuth external provider could return an error when the encoding method chunked the data. Now, calls to OAuth external providers are made based on the policy's selected transfer encoding, set via a new option HTTP/1.1 Chunked Encoding, available while configuring the OAuth Client Policy. The default is true.

Support ticket: SUPPORT-41804, SUPPORT-43789

The openbanking_intent_id was not being returned

For the Akana OAuth/OIDC domain, the openbanking_intent_id was not being properly returned.

Support ticket: SUPPORT-50090

Cached Policy Manager public key in Network Director could be invalidated

Communication between Network Director(s) and Policy Manager failed intermittently due to the cached Policy Manager public key in the Network Director(s) becoming invalid.

Support ticket: SUPPORT-49545

Inactive session timeout could be ignored if an active session timeout was also set

If both the active and inactive session timeout settings are set, the inactive session timeout setting could be ignored and in some cases, an error could be returned. Session timeout settings now work as expected.

Support ticket: SUPPORT-45430

The Contracts API used inconsistent case for start query parameters

The GET /api/apis/versions/<apiVersionId>/contracts API mistakenly used title case Start and Count query parameters when all other methods use lower case start and count query parameters. Now, lower case start and count query parameters are allowed, while title case Start and Count have been retained for backward compatibility.

Support ticket: SUPPORT-35863

New config property controls a schema object's parsing depth

A new configuration property swagger.config.maxDepth has been added to com.akana.swagger, available in the Admin Console. This property defines how many levels down to parse a schema object's properties/schemas for OAS/Swagger APIs. The default is 10. Increasing the default level may impact performance with large APIs.

Support ticket: SUPPORT-49065

Authentication policy creation allowed the selection of all customer domains

When creating an Authentication policy, the domain options incorrectly included all customer domains. Now, only domains associated with organization or tenant are available for selection.

Support ticket: No related support tickets.

Reimported API could be added to an incorrect organization

If an API was previously deleted and imported back into the tenant, the API was not placed in the correct API organization.

Support ticket: No related support tickets.

Uploaded images did not always save correctly in Community Manager

When uploading an image to the API Documentation page in Community Manager, the image was not saved properly in some cases.

Support ticket: SUPPORT-48664

Community Manager could return an error for attachments larger than 500MB

When attaching a file larger than 500MB to an API, the log could report an "out of memory" error. The platform now properly supports attachments, based on the environment, the heap size, and the attachment size.

Support ticket: SUPPORT-49122, SUPPORT-42400

Community Manager did not display an active policy if a draft had a later version date

When a draft version of a policy existed with a newer version than the active policy, the active policy did not display. Now, only active policies appear in the list of policies on the API Implementations > Edit Policies page, regardless of whether there is a draft version that may ultimately supersede it.

Support ticket: SUPPORT-46680

Open API 3.0 version incorrectly returned in the Developer Portal

The Open API 3.0 version identified in the OAS 3.0 API definition in the API Designer of the Community Manager Developer Portal was returning an invalid version.

Support ticket: SUPPORT-45867

Policy Manager certification update didn't update Network Director

After an update to the Policy Manager certification, Network Director was not updated, so subsequent API calls would fail.

Support ticket: SUPPORT-45966

Version 2020.2.17

February 3, 2022

Enhancements: 2020.2.17

Elasticsearch Log Appender Plug-In has been replaced in 2020.2.17

The Akana Elasticsearch Log4J Appender Plug-In no longer works with releases after 2020.2.16 following the introduction of Log4J 2.x as the core logging framework in the Akana product. Because of this, a new off-the-shelf appender is now incorporated into the product. Users of the legacy Appender will need to migrate to the new configuration when upgrading. For detail, see "Configuring the Elasticsearch Log Appender (2020.2.17 and later)" on the Akana docs site.

Support ticket: No related support tickets.

Bug Fixes: 2020.2.17

Importing, then updating scripts could render the container unable to get updates

Importing scripts and then updating them could cause the container to stop reflecting updates.

Support ticket: SUPPORT-47037, SUPPORT-47963

Version 2020.2.16

January 26, 2022

Enhancements: 2020.2.16

Apache Log4j upgraded to Log4j 2

The Apache logging service Log4j has been updated from Log4j 1.x to Log4j 2.17.1 (which avoids the known security vulnerabilities CVE-2021-45105 and CVE-2021-45046). This version of Log4J is incompatible with the previous version and requires a change to the container startup configuration. Because of this, containers will need to be recreated, as updating a container "in place" is not supported. In addition, if you have customized logging in place, you'll also need to refactor your logging configuration. For migration and configuration information, see Migration to Log4j version 2.x on the Akana docs site.

Note that Log4j 2.x requires Elasticsearch version 7.16.2, now supported as of this release.

Support ticket: SUPPORT-47917

Elasticsearch 7.16.2 now supported

The platform has added support for 7.16.2 with this release.

Support ticket: SUPPORT-48956

Bug Fixes: 2020.2.16

New configurations can enforce a JCE provider for Jose V2

A new set of configurations provide the ability to enforce the JCE provider for the JOSE Security Policy v2, available in the Admin Console under com.akana.jose.config. There are four different configurations for each step in the JOSE policy: sign, verify, encrypt, and decrypt. For detail, see "Specifying the JCE provider" on the Akana documentation website.

Support ticket: SUPPORT-47537

Parallel calls to the Request Contract API could fail

Parallel calls to the Request Contract API (POST /api/contracts) could sporadically return an HTTP error "500 Internal Server Error."

Support ticket: SUPPORT-43418

Jose V2 signature verification could ignore the certificate expiration

The JOSE Security Policy v2 could allow a signature to be verified based on an expired certificate, in some cases.

Support ticket: SUPPORT-47289

In Policy Manager, internet restrictions could impact viewing policy details

Some policy configuration details did not display when access to the internet was restricted for the application.

Support ticket: SUPPORT-46233

Version 2020.2.15

December 10, 2021

Enhancements: 2020.2.15

This release includes no enhancements.

Bug Fixes: 2020.2.15

Retrieving a token from Akana OAuth provider could fail with 404 in certain scenarios

When retrieving a token from an OAuth provider, the provider intermittently returned an HTTP 404 "Not Found" error.

Support ticket: SUPPORT-46998

Filtering Analytics logs or charts could return incorrect results in some cases

When filtering an API chart or transaction log on the API's Analytics page, incorrect results could be returned in some cases.

Support ticket: SUPPORT-45300

Listener certificates were not updating in Policy Manager

Containers created with HTTPS listeners using deployment automation could get into a condition in which the listener certificates could not be updated from Policy Manager. This was the result of the container registration logic persisting the original certificates in container metadata and overriding the updated configuration.

Support ticket: SUPPORT-41460

Version 2020.2.14

October 8, 2021

Enhancements: 2020.2.14

This release includes no enhancements.

Bug Fixes: 2020.2.14

The Envision Metrics policy could calculate rollup data incorrectly in some cases

A logic error in the Metrics Policy could cause incorrect rollup aggregations when two events were recorded at the same time with identical dimensions.

Support ticket: No related support tickets.

Version 2020.2.13

October 6, 2021

Enhancements: 2020.2.13

New configuration to enforce a crypto provider for Jose V2

A new configuration provides the ability to enforce the crypto provider for the JOSE Security Policy v2, available in the Akana Administration Console under com.akana.jose > jose.v2.security.handler.factory.joseCryptoProvider. For detail, see "Specifying the JCE provider" on the Akana documentation website.

Support ticket: SUPPORT-45507

Bug Fixes: 2020.2.13

Importing an API from a zip file using OpenAPI 3.0 could fail on relative and example references

For an API based on OpenAPI 3.0 (OAS), importing an API from a zip file could return an error "The API definition could not be read." This was due to an issue with handling relative references and with example references not resolving, in some cases. Note that the server URL, if provided, must be absolute.

Support ticket: SUPPORT-42210

Nested schema references in Swagger documents were not resolving, in some cases

Nested schema references in Swagger documents were not being resolved in some cases, resulting in a "General System Error" on the API Details and Edit API Design pages.

Support ticket: SUPPORT-42210, SUPPORT-42292

Version 2020.2.12

September 16, 2021

Enhancements: 2020.2.12

This release includes no enhancements.

Bug Fixes: 2020.2.12

New configuration property addresses a possible XSS vulnerability in file upload

To address a potential XSS vulnerability during file upload, the file media type can now be determined based on the internet media types (the mime.types file) which maps file types to unique file extension(s), and also by the file content itself. This is controlled by a new property in the Akana Administration Console, com.soa.atmosphere.config.useMimeTypesFile. To take advantage of this property, set it to true; the default is false. For detail, see Admin Console Settings on the Akana documentation site.

As part of this enhancement, the default value for the Query parameter on BoardAPI.getArtifact() and BoardAPI.getCommentArtifact() is now true, changed from false, meaning that the links to the file artifacts are now downloaded by default. For detail, see the documentation for GET /api/boards/items/{BoardItemID}/artifacts/{FileName} and GET /api/boards/items/comments/{CommentID}/artifacts/{FileName}.

Support ticket: SUPPORT-41131

Version 2020.2.11

September 11, 2021

Enhancements: 2020.2.11

This release includes no enhancements.

Bug Fixes: 2020.2.11

Configuring a Network Directory/Gateway without Policy Manager could fail in some cases

The configuration of a Network Director/Gateway with only HTTPS listeners and without an available Policy Manager could fail because the Network Director would try to retrieve trusted certificates from Policy Manager. In this case, Network Director will now fall back on the bootstrap PKI configuration if Policy Manager is not available.

Support ticket: SUPPORT-45159

Public APIs did not display the API Overview page for anonymous users

Anonymous users, i.e., those not logged in, could not view the API Overview page for publicly visible APIs.

Support ticket: No related support tickets.

Version 2020.2.10

September 7, 2021

Enhancements: 2020.2.10

Hermosa theme now has descriptive search tooltips

The API search box in the Hermosa theme now has a descriptive tooltip for entering search tags, displayed when clicking in the search box. This tooltip is also available in the general search box in the filter on the search results page.

Support ticket: SUPPORT-43887

Bug Fixes: 2020.2.10

The Throughout Quota Policy could fail

The Throughput Quota Policy (a Quality of Service (QoS) policy) could return an error in certain circumstances.

Support ticket: SUPPORT-44992, SUPPORT-45018

Test Clients and documentation did not always display the Security button for APIs with the Aggregate Policy

In certain cases, the Security button for APIs using the Aggregate Policy could fail to display for Swagger documentation, OpenAPI documentation, API Test Client, and App Test client.

Support ticket: SUPPORT-44867

MongoDB index changes are no longer automatically dropped and recreated on update

MongoDB indexes on METRIC_ROLLUP_DATA and METRIC_RAW_DATA will not be automatically dropped and recreated on update. Instead, any intended index changes will be logged as an error; the MongoDB administrator will then have the responsibility to apply them as necessary.

Support ticket: No related support tickets.

New default script repository configuration

The configuration of the script repository has changed, with a new implementation based on a disk-overflow cache. This is now configured as the default, avoiding a potential deadlock that could occur when updating the script repository. The new implementation uses the following properties:

Setting Description
script.repository.cache.enable Enable or disable the script cache.
script.repository.cache.config.location The location of the disk overflow cache.
script.repository.cache.config.maxMemoryEntries The maximum number of entries in memory before they will be swapped to disk.
script.repository.cache.config.maxDiskSize The maximum size of the disk swap in KB.

For detail, see "Script Repository Configuration" on the Akana docs site.

Support ticket: SUPPORT-36831, SUPPORT-44541, SUPPORT-44595

Database driver could fail to process a query when parameter markers exceeded 2,000

The jTDS database driver has a limitation of 2,000 parameter markers, so will fail to process a query if the markers exceed that number. This may be true of other database drivers, as well.

Support ticket: SUPPORT-43866

For MongoDB, a non-default database name could cause a problem with auditing

If a non-default authentication database name (other than the default name of "Akana") was used for MongoDB, auditing data was not persisted.

Support ticket: SUPPORT-44297, SUPPORT-44300, SUPPORT-44319, SUPPORT-44216

Setting API Default as request mediatype for an operation did not work as expected

API request payloads of content-type "application/json" were being transformed to XML before the request was sent downstream, if the request mediatype for the operation used API Default, and if the Default Media Types for the API were set to "Any in and out".

Support ticket: SUPPORT-45013, SUPPORT-43265

Version 2020.2.9

August 2, 2021

Enhancements: 2020.2.9

New workflow function supports a default role assignment to developer portal users using a specific login domain

A new workflow function, addRoleToUser, is available for custom workflow to modify the default platform behavior so that a new user, logging in for the first time with a specific login domain, is automatically assigned to a specific role.

Support ticket: SUPPORT-41444

For third-party documentation using iframes, the platform now handles session management

When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), the API platform now handles session management for third-party documentation that uses iframes. When the API documentation is displayed in an iframe, the iframe takes care of renewing the session. In addition, the third-party portal can handle the session before navigating to the iframe API document via a special page (which is provided in the customization samples or from Technical Support).

To take advantage of this, set the height and width of this new page to 0 so that the token is renewed in the background. Load this special page in an iframe in all pages except the API documentation's iframe.

Support ticket: SUPPORT-43303

Custom workflow can mark a third-party user a registered user at first login

Third-party domain users can be assigned a registered state when logging into the Community Manager for the first time via a new initial action @AllowMarkUserAsRegistered. This is implemented through a custom workflow and overrides the default behavior which first assigns a pending_validation state to external domain users. See @AllowMarkUserAsRegistered on the Akana documentation website for more information.

Support ticket: SUPPORT-43689

The jose.4.j library has been upgraded from 0.6.3 to 0.6.5

The jose.4.j library used on the platform has been upgraded from 0.6.3 to 0.6.5. The new version adds support for the RSASSA-PSS algorithm, necessary when PS256 is selected for digital signing.

Support ticket: SUPPORT-44157

Bug Fixes: 2020.2.9

Accessing individual transaction logs in the developer portal could fail

In the Community Manager developer portal, accessing the individual transaction log from Analytics > Logs could fail in some cases.

Support ticket: No related support tickets.

Regression could cause an exception when creating usage metrics

After an upgrade to 2020.2.7, a Java ConcurrentModificationException could occur when creating an API's usage metrics.

Support ticket: No related support tickets.

Password security updates from 2020.2.5 reinstated

Work related to the entry "General updates to strengthen password security" from the 2020.2.5 release was reverted in 2020.2.6, but has now been reinstated.

Support ticket: No related support tickets.

Version 2020.2.8

July 23, 2021

Enhancements: 2020.2.8

File download now available on an API's documentation page

In the Community Manager developer portal, an API's documentation page now features a download option so users can download the corresponding Interface Description Language file.

Support ticket: SUPPORT-43002

Search returns results for an API's summary and description

Community Manager developer portal search returns and displays results for both an API's summary and its description, given a keyword. Previously, only results based on an API's description were returned and displayed.

Support ticket: SUPPORT-40847

The Access button to create a contract between an API and an app can now be controlled according to user role

Site Admins can control whether the Access button to create a contract between an API and an app appears or not, by implementing a custom API workflow that uses a new workflow action @DisallowApiAccess.

Support ticket: SUPPORT-40443

Embedding API documentation in a third-party portal now supports non-library dependent version

When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), a non-library dependent design is now supported, for example, a design without use of JavaScript. Note that, in this case, the UI's display may be impacted, including scroll bars or a failure to display a loader message while API documentation is in progress.

Support ticket: No related support tickets.

For API descriptions using Markdown, the search returned Markdown syntax

When an API description used the Markdown language, the API Details and Overview pages processed the Markdown and displayed it correctly, but the search displayed the Markdown syntax without processing it. Now, the Markdown is converted to plain text and displayed in the search results. The API Details and Overview pages still display the processed Markdown.

Support ticket: SUPPORT-41836

URL-encoded certificate headers now supported by the HTTP Security Policy

The HTTP Security Policy enforcement handler now has the ability to consume URL-encoded certificate headers.

Support ticket: SUPPORT-43722

New configuration property now controls the RFC compliance level

A new configuration property has been added to the Akana Administration Console supporting the configuration of the RFC compliance level of the HTTP parser. This provides backwards compatibility with older versions of Jetty, and provides support for clients that are not compliant with the latest RFCs.

The new configuration property is com.soa.platform.jetty -> http.incoming.transport.config.compliance. For supported values, see "Configuring the security settings" on the page Configuring Compliance Modes for HTTP Parsing and Handling on the Akana documentation website.

Support ticket: SUPPORT-43722

API Consumer Application Security Policy now supports HMAC-SHA512

The API Consumer Application Security Policy has added support for cypher suite HMAC-SHA512, available as an option on the policy page. For more information, see "Configuring API Consumer Application Security Policy options" on the Akana documentation website.

Support ticket: SUPPORT-43228

Support added for new signing algorithms for OAuth provider PingFederate 10

For OAuth provider PingFederate 10.0.x, support has been added for the Private Key JWT and Request Object signing algorithms, available on an app's Details page by selecting OAuth Profile.

  • Choosing Private Key JWT from the section "Choose from authentication options below" launches a dropdown "Private Key JWT Signing Algorithm" to select a signing algorithm that the client must use to sign the JWTs for client authentication.
  • Choosing Required Signed Requests launches a dropdown to select the signing algorithm that the client must use to sign the request object.

Support ticket: SUPPORT-33433

Auth Token validity is now configurable

The Community Manager developer portal Auth Token validity is now configurable via the Active Login Session Timeout setting. If the Active Login Session Timeout is set to 0, then the Auth Token validity defaults to 30 minutes, as was the default before this update.

Support ticket: SUPPORT-43293

Security settings added to control CSRF defense when using the latest Chrome browser

The latest Chrome browser has changed the default setting it applies to the SameSite attribute, which defends against CSRF attacks. This was resulting in a failure to display API documentation inside an iframe from a third-party portal running on a domain other than the portal domain, in which case, an HTTP "401 Unauthorized" exception could occur.

To ensure the display of API documentation in this situation, there is a new setting on the Security Settings page (Admin > Settings > Security): set the Authentication CSRF Token Cookie Attribute - SameSite field to "None." An existing setting to control the Domain attribute, Authentication and CSRF Token Cookie Attribute - Domain, was also added to this page.

For more information, see "How do I configure settings for business security?" on the Akana documentation site.

Support ticket: No related support tickets.

For OpenAPI 3.0, parameters, request bodies, and responses can now contain examples

For an API based on OpenAPI 3.0 (OAS), its documentation now supports the inclusion of a full example, or multiple examples, for parameters, request bodies, or responses.

Support ticket: SUPPORT-41503

Bug Fixes: 2020.2.8

For the OpenID Connect Relying Party domain, default claim names were used instead of custom claim names

After configuring custom claim names in an OpenID Connect Relying Party domain in the Community Manager developer portal, default claim names were still used. Custom claim names are now used as expected, but any existing OpenID Connect Relying Party domains with claim names need to be saved for the changes to take effect. If, however, an existing OpenID Connect Relying Party domain, or one without custom claim names, is working without any issues, no action is required.

Support ticket: SUPPORT-41815

Some Swagger documents did not display correctly on the API Details and Designer pages

Swagger documents containing operations with responses of different content types did not display correctly on the API Details and API Designer pages.

Support ticket: SUPPORT-40901

Detailed auditing not capturing the request payload for platform services in certain scenarios

When the Detailed Auditing policy was attached to platform services (Community Manager APIs), the request payload was not captured in usage logs, in some cases.

Support ticket: SUPPORT-43093

Custom policies did not display when a PM Context path was not "/"

In Policy Manager, custom policies now work when the PM context path is something other than /. Previously, if the context path was not at root, the policies would not display correctly in the UI.

Support ticket: No related support tickets.

Updating an app's visibility could result in an error

In the Community Manager developer portal, changing an app's visibility from public to private could return an error if some public app settings were disabled.

Support ticket: SUPPORT-42717

For OAuth provider PingFederate, an app description was not properly added

When creating an app with PingFederate as the OAuth provider, the app description, i.e., the contents of the Description field under App OAuth Profile, was not added when syncing the ClientID to PingFederate.

Support ticket: SUP-12168, SUPPORT-1082

For an external keystore, issuer Distinguished Names with spaces could result in keystore certificates not being found

When using an external keystore, the certificate lookup mechanism did not handle issuer Distinguished Names (DNs) properly when matching against the keystore certificates, in which case issuer DNs with spaces could result in certificates not being found.

Support ticket: SUPPORT-41801

Files with disallowed file types could be uploaded to the portal if the filename was changed

A file with a content type that was not allowed for uploading to the developer portal could bypass this limitation if its name was changed.

Support ticket: SUPPORT-41553

Image quality could degrade after upload

After uploading an image to the Community Manager developer portal, the quality of the image was degraded in some cases.

Support ticket: SUPPORT-43183

With Oracle, API access failed when an API had many scopes and licenses

With an Oracle database, when a very large number of scopes and licenses were mapped to an API at the operation level, an API Access request failed with a SQL exception error.

Support ticket: No related support tickets.

Adding a new version to an API could fail

Adding a new version to an API with a descriptor could fail in some cases.

Support ticket: SUPPORT-41466

Elasticsearch could send unencrypted traffic in some cases

When the Elasticsearch sniffer feature was enabled, Elasticsearch could send unencrypted traffic on an HTTPS channel.

Support ticket: No related support tickets.

New user invitations were not returned in search results

New users invited to create an account in the Community Manager developer portal could fail to be listed under Admin > Users, due to a problem with Elasticsearch indexing.

Support ticket: SUPPORT-43158

API creation could fail when importing an OpenAPI 3.0 file with a circular reference

API creation was failing when importing an OpenAPI (OAS) file that had a circular reference to a schema, returning a "Recursion Depth Exceeded" exception.

Support ticket: SUPPORT-41462

Version 2020.2.7

July 06, 2021

Enhancements: 2020.2.7

Searching with "AND" limits the results appropriately

Searching APIs for keywords using "AND" returns only those APIs that have both elements present. Prior, a search using AND did not properly narrow the results, returning APIs with just one element present.

Support ticket: SUPPORT-40951

Bug Fixes: 2020.2.7

A regression could result in the Process Editor failing to display when the Policy Manager context path was not root

Due to a regression introduced in 2020.2.6, Process Editor display errors could occur in the Community Manager developer portal. When Policy Manager was running on a different context path than root ("/"), the Process Editor did not display on the API Details and API Implementation Details pages.

Support ticket: No related support tickets.

In Policy Manager, alert emails could return a SQL exception for Oracle

When an alert was generated from an Oracle database in Policy Manager and an email was sent to the configured user, a SQL exception could occur.

Support ticket: SUPPORT-26139

Calls between virtual services could fail in some cases

Calls between virtual services could fail if the normalized response contained invalid XML.

Support ticket: SUPPORT-42841, SUPPORT-42841

In Bonita theme, users without access could view the Analytics menu

The Analytics menu for an API was visible to users who did not have access to any Analytics functions; when clicked in the navigation bar, an HTTP error "401 Unauthorized" was returned. Now the Analytics menu displays only for authorized users, similar to Hermosa theme.

Support ticket: SUPPORT-40276

Multi-file import could fail to find a referenced object when adding a new API

When adding a new API in the Community Manager developer portal, fragment or local references (those without a complete file path) to other files of a ZIP were not resolving properly, producing an HTTP 500 Internal Server Error.

Support ticket: SUPPORT-42292

Version 2020.2.6

June 18, 2021

Enhancements: 2020.2.6

This release includes no enhancements.

Bug Fixes: 2020.2.6

The Add App menu could return an error for non-admin users

In the Community Manager developer portal, selecting the Add App menu could intermittently fail for non-admin users, returning an HTTP 401 Unauthorized Error.

Support ticket: SUPPORT-43222

The PM.ALERTS table in a sharded Mongo cluster now uses an auto-generated value for its ID

In Policy Manager, the PM.ALERTS collection's _id now uses an auto-generated value, while still maintaining the sequence numeric value in the id field. This addresses an issue in which the Akana Alerts service could fail in a sharded Mongo environment if the _id column was selected as part of the shard key for the PM.ALERTS collection.

Note: In 2020.1.0, the _id field in PM.ALERTS was modified to use the numeric value from the Mongo auto-generated ObjectId value. This change has been reverted to use the Mongo auto-generated _id value.

Support ticket: No related support tickets.

Regression could cause an error when creating an app in the Community Manager developer portal

After an upgrade from 2019.1.7, an HTTP 401 Unauthorized Error could be returned for an app created by a non-admin user.

Support ticket: SUPPORT-42937

With CSRF enabled, some API policy and process pages did not load

In the Community Manager developer portal, some API policy and process pages were not loading if CSRF was enabled in the Akana Administration Console (when com.soa.console.csrf > org.owasp.csrfguard.Enabled was set to "true".)

Support ticket: SUPPORT-39230

Password security updates from 2020.2.5 reverted

Work related to the entry "General updates to strengthen password security" from the 2020.2.5 release has been reverted in this release due to regression that disallowed editing configurations for PIDs containing passwords. This issue will be addressed in a future release.

Support ticket: No related support tickets.

Version 2020.2.5

May 17, 2021

Enhancements: 2020.2.5

Filtering a search by tags is now supported

The search filters in the Community Manager Developer Portal now support searching by an API or app's tag.

Support ticket: SUPPORT-40632, SUPPORT-41146

Community Manager themes now support dynamic resizing on static pages

In the Community Manager developer portal, the height of static pages can now be resized dynamically when there are expand/collapse sections. This enhancement applies to these pages:

Hermosa theme:

  • home/landing
  • home/support
  • API > Documentation

Simple Dev theme:

  • welcome
  • help
  • documentation

Bonita theme:

  • welcome
  • help
  • API > Documentation

Support ticket: SUPPORT-40842

Bug Fixes: 2020.2.5

Throughput Quota Policy could return inconsistent results

The Throughput Quota Policy (a Quality of Service (QoS) policy) could return inconsistent results, making it difficult to determine if the defined quota or queue size was being properly applied.

Support ticket: SUPPORT-42252

The HTTP Message Validation Policy could log unencoded special characters in error messages

Error messages produced by the HTTP Message Validation Policy could include unescaped or unencoded characters.

Support ticket: SUPPORT-36377

For the OpenID Connect Provider domain, some user data was displayed incorrectly at login

For the OpenID Connect Provider domain, the country code and phone number could be displayed incorrectly at login.

Support ticket: No related support tickets.

Regression when running some recipe scripts that include a property without a value

Some receipe scripts failed when updating a PID that included a property with no value, after an upgrade from 2020.1.5.

Support ticket: SUPPORT-42452

Envision: Startup error could occur that would require a restart of the container

The Envision container could require a restart at initial startup, due to the OSGi (Open Services Gateway initiative) framework bundle not initializing correctly.

Support ticket: No related support tickets.

API Details page was not displaying all properties for sample using "allOf"

The API Details page in the Community Manager Developer Portal was not displaying all sample properties when the allOf property was included in the schema definition.

Support ticket: SUPPORT-41583

General updates to strengthen password security

In addition to other updates, verification was performed to ensure that passwords are correctly defined as a "password" type to avoid them being treated like any other property.

Support ticket: No related support tickets.

Customization: When creating a new static page, customers can override the default post-login redirect behavior for the page

By default, with a few exceptions, if a user is on a page in the Community Manager developer portal and then logs in from that page, the user is taken back to the same page after login.

When creating a new static page, customers can now override this default login behavior so that if the user is on the static page, and then logs in, the user is taken to the Action Dashboard. For details and instructions, see Creating a New Static View in Hermosa Theme, with override of default redirect behavior.

Support ticket: SUPPORT-40635

Duplicate audit entries when Detailed Auditing and Business Metrics policies were both attached to an API

In a scenario where Envision was installed and the Detailed Auditing and Business Metrics policies were both attached to an API expecting a JSON response, there were duplicate entries in the request and response audit logs.

Support ticket: SUPPORT-42172

Version 2020.2.4

April 19, 2021

Enhancements: 2020.2.4

Obsolete jQuery versions have been removed

Obsolete jQuery libraries have been deleted from the product. The only distributed version is 3.4.1.

Support ticket: SUPPORT-31089

Ability to embed generated API documentation, including embedded Test Client, in a third-party portal

The generated API documentation currently displayed in the developer portal, either OpenAPI or Swagger, can now also be embedded in a third-party portal. If the generated API documentation includes the embedded Test Client functionality currently supported in the developer portal, embedded Test Client also works in the third-party portal.

Support for this feature includes a new library and a new working customization example in the customization ZIP file. If you do not have the customization ZIP file, ask Technical Support.

Authentication/authorization for the user's access to the API documentation from the third-party portal can be handled by the developer portal's SSO login functionality; for example, with SAML Web SSO or OpenID Connect.

Support ticket: SUPPORT-40315

The version was not displaying properly for APIs and apps on some pages

In the Community Manager developer portal, the version dropdown for APIs and apps was not clickable and the down arrow was not visible in some cases, so that multiple versions would not display. This occurred on the API Documentation page, the API Overview page, and the App details page.

Support ticket: SUPPORT-41168

When searching, tags associated with a resource now link to a list of all APIs, apps, or groups with that tag

When searching for APIs, apps, or groups, each entry in the search results includes a list of tags defined for that resource, if they exist. Each tag is now a hyperlink; clicking a tag in a search results entry returns a list of resources that use that tag. The list is specific to the type of resource. For example, on the All APIs page, clicking a tag in a search results entry gives a list of all APIs with that tag. To return a list of all resources that have a specific tag (APIs, apps, and groups), use the top general search bar.

Support ticket: SUPPORT-40634

New search scope capability for an API

The Community Manager developer portal has added support for selecting a search scope, available from the API's Manage Licensing page when "Enable Licensing for API" is selected.

Support ticket: SUPPORT-41169

Envision Demo Data plugin could fail to create charts and dashboards

The Akana Sample Datasets for Demo Charts plug-in, which provides a series of sample datasets for demo charts, could fail to create charts and dashboards, due to special characters in the description fields for these models.

A new configuration property has been added to the Akana Administration Console: analytics.validation.text.denylist under
com.soa.persistence.console. This configuration can allow or disallow special characters in the description field used in Analytics Manager.

Support ticket: No related support tickets.

Bug Fixes: 2020.2.4

Operation-level tags duplicated on API Details or Documentation pages

For operation-level tags, the tag name was used for both the name and description if no description was defined, resulting in the display of a duplicated tag name on the API Details and API Documentation pages. Now, just the name is displayed if there is no description.

Support ticket: SUPPORT-41166

The scrollbar on the API Overview page initialized incorrectly

In the Community Manager developer portal, the scrollbar on the API Overview page could initially appear in the middle of the page rather than at the top.

Support ticket: SUPPORT-41167

Creating a container using recipes could return an error

A timing issue during container startup intermittently caused the default certificate parameters to be unavailable when the container identity was generated, leading to an exception.

Support ticket: SUPPORT-37932

The version was not displaying properly for APIs and apps on some pages

In the Community Manager developer portal, the version dropdown for APIs and apps was not clickable in some cases, so that multiple versions would not display. This occurred on the API Documentation page, the API Overview page, and the App details page.

Support ticket: SUPPORT-41144

Login Entry Page customization did not launch the desired page

After customizing the Login Entry page to open a custom page rather than the default Action Dashboard, the Action Dashboard would still open.

Support ticket: SUPPORT-40876

For a null JSON property value, Elasticsearch indexing could fail

Elasticsearch indexing could fail when parsing a JSON object with a property value of JSONNull.

Support ticket: No related support tickets.

Searching in Community Manager could produce inconsistent results

When searching in the Community Manager developer portal using the top-level search box or the filter search box, the results could be inconsistent, depending on the order of keywords entered.

Support ticket: SUPPORT-40951

Importing a package could fail to add an included script

While importing a package into either Policy Manager or the Community Manager developer portal, if the package file included a script, sometimes the script did not get added and the service would not get deployed, resulting in an HTTP 404 "Not Found" error.

Support ticket: SUPPORT-39727

Setting a protocol header in a script activity in an operation process could fail

Adding a SOAP header using a script activity in an operation process failed, returning an HTTP 404 "Not Found" error.

Support ticket: SUPPORT-40865

Version 2020.2.3

March 19, 2021

Enhancements: 2020.2.3

Multiple, selected dashboard notifications can now be deleted at once

For a role with permissions to delete a notification, multiple dashboard notifications can now be deleted, either by selecting all or some, then selecting "Delete Checked."

Support ticket: SUP-10607, SUPPORT-40289

"APIs I'm Following" widget now available for inclusion on the Action Dashboard

A widget to display "APIs I'm Following" can now be added to the Community Manager developer portal's tenant Action Dashboard or any other page. Previously, this was found only under the My APIs page.

Support ticket: SUPPORT-40444

When searching, tags associated with a resource now link to a list of all APIs, apps, or groups with that tag

When searching for APIs, apps, or groups on their respective "details" pages, each returned entry includes a list of tags used for that resource, if they exist. These tags are now each hyperlinks, so that clicking on a tag returns a list of all APIs, apps, or groups with that tag.

Support ticket: SUPPORT-40634

Bug Fixes: 2020.2.3

In Policy Manager, real-time charts could fail to display

When configured behind a reverse proxy that terminates SSL (HTTPS), the real-time charts could fail to display.

Support ticket: SUPPORT-40188, SUPPORT-39230

Real-time charts could fail to populate a start and end date time when viewing data

In Policy Manager's Real-Time Charts, selecting the View Data button could fail to populate the start and end date and time, resulting in an intermittent failure to display the logs via the Logs tab.

Support ticket: SUPPORT-40247

Some Community Manager URLs with special characters could expose an XSS vulnerability

Due to the inclusion of some special characters, some URLs in the Community Manager developer portal could result in a Cross-Site Scripting (XSS) vulnerability.

Support ticket: SUPPORT-41131

Open Banking Client Authentication policy could fail on APIs deployed on Network Director

For an API deployed on Network Director, the Open Banking Client Authentication policy could fail to process requests.

Support ticket: SUPPORT-40881

Policy Manager displayed SQL error details at login if the database was unreachable

The Policy Manager login page could display the internal SQL query error if the database was unreachable. Now, a generic error message "General System Error. Please contact Administrator" is displayed if the database cannot be reached.

Support ticket: SUPPORT-40572

JOSE Security Policy using JWKS could expose class name in a returned error

A JOSE Security Policy v2, configured for JWKS but not enabled for UK Open Banking support, could expose the exception class in a returned error, for example, "..."faultstring":"Authentication error. com.soa.transport.http.HttpException: HTTP Error..."

This was a regression from a previous release. Now, a returned fault appropriately omits the class name, returning, for instance: {“faultcode”:“Server”, “faultstring”:“Authentication error. Internal Server Error “}.

Support ticket: SUPPORT-25000

Installing the Policy Manager Services feature did not install the HTTP Headers Injection policy handler bundle

The Policy Manager Services feature, which includes the Security Services feature, did not install the HTTP Headers Injection policy handler bundle unless the Akana Policy Manager Console feature was also installed. This resulted in the Http Header Injection policy not working in Policy Manager container with no Console feature installed. This policy is now installed with the Security Services feature.

Support ticket: No related support tickets.

Login with 2FA was failing when more than one delivery option was enabled

Two-factor authentication could fail when multiple delivery options are enabled in the workflow for receiving the authentication code, such as enabling both email and text messages.

Support ticket: No related support tickets.

The Contract API for an API Version intermittently failed

The Get Contract Versions API (http://docs.akana.com/cm/api/apis/m_apis_getContractVersions.htm) for an API version could fail, in some cases in which there are a large number of contracts.

Support ticket: SUPPORT-40739

Version 2020.2.2

March 8, 2021

Enhancements: 2020.2.2

API Overview page no longer displays the Endpoints section

In the Community Manager developer portal, the Endpoints section on the API Overview page has been removed.

Support ticket: SUPPORT-40340

Importing a Swagger or OpenAPI 3.0 document now updates the version

Importing a modified Swagger or OpenAPI 3.0 document using the API Designer Edit page did not update some parts of the document, specifically the info.version element. Support has been added for updating the API version if the info.version element in an updated design document changes.

Support ticket: SUPPORT-39972

Bug Fixes: 2020.2.2

The API Details page could display invalid characters in the schema for the request body

When importing an API into the Community Manager developer portal, a schema description containing special characters was displayed as invalid characters.

Support ticket: SUPPORT-40296

The Rhino javascript engine could result in script evaluation failures

An upgrade of the Rhino javascript engine resulted in intermittent script evaluation failures in which API calls could return an HTTP 404 "Not Found" error, along with error “java.lang.NoClassDefFoundError: org/mozilla/javascript/NativeJavaPackageHelper.”

Support ticket: SUPPORT-40978

An API's documentation page could report an error when displaying operations

For some Request body content-types, an API's documentation page, at API > Documentation, could fail to display operations when expanded, and report an error.

Support ticket: SUPPORT-40254

Schema installation for dropping a view failed with Microsoft SQL Server 2012

For Microsoft SQL Server 2012, when installing the Akana API Platform version 2019.1.22 or later, database schema installation for dropping a view could fail.

Support ticket: SUPPORT-40526

API Designer did not correctly display the Value or Sample field

On an API's Details > Design page, the Request body's "Value" field and the Response body's "Sample" field could fail to display for some compound schemas using Open API Specification 3.0 or Swagger 2.0. Support has been added for the field "Sample" for compound schemas in Swagger and Open API documentation.

Support ticket: SUPPORT-40257

The Customization link on Simple Dev and Bonita theme home page returned an error

The "How to Customize" link on the home page of the Community Manager developer portal for the Simple Dev and Bonita themes was broken. It now properly launches the "Detailed Customization Document" page on the Akana docs site.

Support ticket: SUPPORT-39977, Support-39977

Version 2020.2.1

February 17, 2021

Enhancements: 2020.2.1

Updates to the UI's API Implementations pages

Enhancements have been made to the UI, in particular to the API > Implementations pages, to clarify some functionality.

Support ticket: No related support tickets.

Deprecations and Removals

Consumer Gzip content encoding removed and the consumerGzip configuration is deprecated

Gzip content encoding on the consumer side has been removed, and the configuration transport.config.consumerGzip is now deprecated (available in the Akana Administration Console under Configuration > com.soa.transport.)

Support ticket: No support ticket

Bug Fixes: 2020.2.1

Compound schemas with cyclic references were not supported in the API Designer

Updates to the UI have been made to improve performance and to support compound schemas with cyclic references.

Support ticket: SUPPORT-40095

Some client certificates were rejected with SSL errors

The default SSL endpoint identification algorithm configured by Jetty9 caused a change in behavior during SSL handshakes for mutual authentication. This more stringent algorithm led to certain client certificates being rejected.

Support ticket: SUPPORT-40380

APIs with a large number of connections could not be deleted

For APIs with hundreds of connections (contracts to apps, in this case), deleting the API version could fail, exceeding the number of prepared statements or cursors allowed in the database per session.

Note that if deleting the API version fails for another reason, some or all contracts could still be canceled (although the contracts could be canceled in the usual way).

Support ticket: SUPPORT-40157

Deleting an LDAP user in Policy Manager could result in an error

When a user was deleted from an LDAP server in Policy Manager, if that user had also logged into Community Manager at some time prior, an error could occur. Now, deleting an LDAP user works as expected.

Support ticket: SUPPORT-29121, SUPPORT-3382, SUP-10427, SUP-15966, SUPPORT-1199, SUPPORT-38345, SUP-17739, SUP-18759, SUPPORT-38225

HTTP method could be returned as null

A concurrency issue in the Java DOM (Document Object Model) could lead to errors when reading data from WSDL documents in a multi-threaded environment. This was intermittently causing the HTTP method defined in the WSDL to be returned as null.

Support ticket: SUPPORT-22829, SUP-18551, SUP-18819, SUPPORT-3174, SUPPORT-3442, SUPPORT-23547, SUPPORT-23857, SUPPORT-24784, SUPPORT-27207, SUPPORT-27586, SUPPORT-34085, SUPPORT-39326, SUPPORT-22567, SUPPORT-22779, SUP-18551,SUPPORT-22779,SUPPORT-22567

Users with appropriate privileges could not access an API's discussions

In some cases, users with roles mapped with appropriate privileges were unable to create or view discussions on a private API.

Support ticket: SUPPORT-39976

Roles mapped to an LDAP group were ignored for a user in some cases

For users assigned to a group in LDAP, signing into the Community Manager developer portal could result in incorrectly assigned privileges that did not reflect the role to which the LDAP group was mapped.

Support ticket: SUPPORT-39971

User-defined roles are not taken into consideration in certain scenarios

In some cases, user-defined roles were not considered in regards to contract workflows.

Support ticket: SUPPORT-39952

The API Designer's Import and Cancel buttons could produce an error

For APIs created with JSON files that had a large number of operations, the API Designer's Import and Cancel buttons were sometimes unresponsive.

Support ticket: SUPPORT-39813

Customization files are no longer generated for all themes

When adding or modifying a theme, and saving the updates in the Site Settings page, the platform no longer automatically generates out-of-the-box customization files for all current themes.

Support ticket: No related support tickets.

Version 2020.2.0

February 11, 2021

Create indexes for MongoDB before upgrading

If you're using MongoDB, it's recommended to create indexes before upgrading to 2020.2.x:

use METRIC_ROLLUP_DATA

db.OPERATIONAL_METRIC.createIndex(

  {"value._rolluptype": 1, "value.executorId": 1},

  {name: "OPERATIONAL_METRICDeleteOnIDX", background: true})

db.OPERATIONAL_METRIC.createIndex(

  {"value._rolluptype": 1, "value.rawIds": 1},

  {name: "OPERATIONAL_METRICRecoveryIDX", background: true})

 

Key Features: 2020.2.0

Technology upgrades

This release incorporates several upgrades to technologies and tools. See System Requirements for Akana Platform 2020.2.x for details. These include:

  • MongoDB
  • Elasticsearch
  • Adobe Flash has been replaced in Policy Manager's Real Time and Historical Charts.
AWS CloudHSM support

Akana adds support for the AWS CloudHSM cloud-based hardware security module.

Docker images

Enhanced support has been added for installation via specific Akana Docker images to enable better environment standardization, portability, compatibility, and ease of maintenance.

NTLM V2 support

The authentication protocol NT LAN Manager version 2 (NTLMv2) is now supported.

Community Manager developer portal enhancements

Multiple enhancements have been made to the Community Manager portal. Among them are:

  • Bonita theme Improvements: Bonita theme now includes an API Access Wizard, supports authored documentation, and has more intuitive navigation functionality. See Bonita Theme on the Akana docs site.
  • Operation-specific policy support: Policies can now be assigned to a specific API operation, in addition to assigning at the API level. See "To assign a policy to a specific operation in an API implementation," on the Akana docs site.
New documentation on customizing the Community Manager developer portal

Multiple options are available to customize the portal, now documented in detail at "Detailed Customization Document" on the Akana docs site.

Envision enhancements

Envision has been enhanced with several usability improvements and security fixes, including the addition of chart creation guidance when filtering, the display of chart loading information, and the ability to edit a chart without first previewing it, improving performance.

Lifecycle Manager Repository Client

The Lifecycle Manager Repository Client has now been certified on the macOS.

Enhancements: 2020.2.0

Envision login could pose potential security risk on LDAP domain

When logging into the Envision Console on an LDAP domain, valid usernames could potentially be exposed through repeated logins. For example, if an invalid username was provided, the application returned "User <username> does not exist." Now a generic message "Invalid user credential" is returned in all cases.

Support ticket: SUPPORT-2387, SUP-17761

Lifecycle Repository extended properties can be configured as a single value or multiple values

For API, App and User extensible properties, Community Manager now supports the configuration of a single value or multiple values. A multi-value list can include free-form values added by the user.

Support ticket: No related support tickets.

Automation recipes enhanced with additional security configuration options

Out-of-the-box automation recipes have been enhanced to support various use cases configuring security across Akana containers.

Support ticket: SUPPORT-36354

MongoDB can now be configured for recovery jobs

When using the MongoDB Support plug-in to manage audit and metrics data, new options are available to configure recovery jobs. These options help avoid loss of metrics data and ensure data accuracy during a roll-up process. In the Akana Administration Console, these are available at Configuration > com.soa.persistence.mongodb:

Property Default Description
persistence.mongodb.rollup.maxRecoveryBatchSize 10,000 The maximum number of raw records in a batch, for a recovery job
persistence.mongodb.rollup.skipRecoveryIteration 10 Number of iterations to skip before running recovery jobs

Support ticket: No related support tickets.

Akana OAuth/OIDC Provider Domain adds support for PKCE

This release adds support for the optional PKCE security extension for OAuth, with the Authorization Code grant type. PKCE (Proof Key for Code Exchange) enhances security by adding an additional key with the authorization code request and again with the token request. For more details, see Akana OAuth/OIDC Provider Domain: Tab 2, Grant Types - Configuration Values on the Akana documentation site.

Support ticket: No related support tickets.

Configure data chunk size in MongoDB for improved resource management

Admins can now control the number of records for a Mongo MapReduce operation to avoid processing delays and meet SLA requirements if resources are tight or the amount of data is high. A new maxBatchSize configuration property is available in the Akana Administration Console at Configuration > com.soa.persistence.mongodb > persistence.mongodb.rollup.maxBatchSize. The default setting is 10,000.

Support ticket: No related support tickets.

New AllowListedCrossSiteScripting policy in Policy Manager

A new operational policy, AllowListedCrossSiteScripting, replaces the WhiteListedCrossSiteScripting policy in Policy Manager under Registry > Policies > Operational Policies > AllowListedCrossSiteScripting. Existing WhiteListedCrossSiteScripting policies will be retained.

Support ticket: No related support tickets.

Customization samples available to download from the Customizations page

A zip file of the customization samples is now available to download from the Customization page, accessed via More > Admin > Customization > Download Customization Samples.

Support ticket: No related support tickets.

Assign a policy at the operation level

Assigning a policy to a specific operation in an API implementation, rather than to the entire implementation, is now supported. See How do I assign policies to my API implementation? on the Akana documentation site. This functionality is also supported in the Test Client, both in the context of the Community Manager developer portal and when Test Client is embedded in authored API documentation.

This resulted in changes in the request and/or response to some existing operations that manage information about policies attached to an API.

Previously, these operations used the Policies model object, whether directly or nested within another model object. The Policies object includes an array of information about one or more policies attached to the service. These operations now use additional information, to accommodate policy attachments at the operation level in the developer portal and the APIs:

  • Policy[ ]: An array of information about one or more policies attached to the service
  • ApiOperationPolicy[ ] : An array of information about the operation and about one or more policies associated with it

Modified operations include:

ApiVersion:

TargetAPI:

TargetAPI (field TargetAPI inside ApiVersion; see above)

APIImplementation:

Support ticket: SUPPORT-36137, SUPPORT-3459

Get Contract Versions API supports pagination

The Get Contract Versions API, GET /api/apis/versions/{APIVersionID}/contracts), now supports pagination using start and count optional query parameters.

Support ticket: SUPPORT-35863

Bonita theme now includes an API Access Wizard

In Bonita theme, you can request access to APIs using the API Access Wizard, just as you can in Hermosa theme, available via an "Access" button on the API Details page.

Support ticket: No related support tickets.

Bonita theme adds support for authored documentation

In versions prior to 2020.2.0, Bonita theme supported viewing generated documentation in Swagger 2.0 and OAS 3.0, but not authored documentation. In version 2020.2.0, Bonita also supports viewing authored API documentation that has been uploaded, including all aspects of API documentation functionality. For more information, see Bonita theme: API functionality on the Akana documentation site.

Support ticket: No related support tickets.

Policy Manager Real Time Charts no longer use Adobe Flash

The Real Time Charts in Policy Manager no longer use the Adobe Flash Player, which Adobe stopped supporting on December 31, 2020. The new, improved versions display similarly to earlier, Flash-based charts.

Support ticket: No related support tickets.

Latency when querying MongoDB for service data

Filtering usage data by service has been improved by correcting the improper use of an index.

Support ticket: SUPPORT-34899

Support for Elasticsearch version 7.9.x

Support for Elasticsearch version 7.9.x has been added. Previous versions of Elasticsearch are incompatible with the API Platform, and support for the Elasticsearch Transport Client has been removed. Users must upgrade servers to Elasticsearch 7.9.x, as follows:

1. Upgrade Elasticsearch servers to use version 7.9.x.

2. Configure/Update REST Client URL (s) in:
Akana Administration Console > Configuration > "Configure Elasticsearch Global Configuration".

3. Delete the old indices by name or delete all indices using "_all":

curl -XDELETE 'http://<ES_HOST>:<ES_PORT>/_all'

4. Reindex all the objects:
Run the following query to reindex all the objects.

delete from INDEX_STATUS;

Support ticket: SUPPORT-32942, SUPPORT-33935

Envision: Exporting charts functionality has been removed

Exporting a chart as an image, previously available from several Envision dialogs, has been removed to avoid potential security issues.

Support ticket: SUPPORT-2383, SUP-17757

Search capability added to the Policies page for an organization

On the Policies page, accessed in the Community Manager portal via Organizations List > choose an organization, search tools are now available to help locate a policy.

Support ticket: No related support tickets.

Policy Manager: Dependency Map has been removed

Policy Manager's Dependency Map has been removed from the UI, previously available at Services > Monitoring > Dependencies.

Support ticket: No related support tickets.

Process Editor now available from API Details page

The Process Editor, previously accessed only via the API > Implementations page, is now available from the API Details page. To open it, choose API > Details > Design section > specific operation, Actions drop-down; then select Edit Live Process or Edit Sandbox Process.

Support ticket: No related support tickets.

JRE version security patch updated

The JRE version 1.8 has been updated with the latest security patch, version 8u265.

Support ticket: No related support tickets.

New SMTP task sets SMTP properties

A new Akana Administration Console task, "Configure SMTP server settings for email sending," sets SMTP properties via automation recipes. To run the task in automation, use the recipe file tasks/smtp-settings.json.

Support ticket: SUPPORT-33864

Envision: Chart creation now features UI guidance on filters that could improve analytics performance

When creating charts in Envision, certain selections can negatively impact analytics performance; for example, filtering by an unnecessarily broad time range would result in long loading times that present undesired data.

Envision chart creation has now been enhanced to:

  • Set default timestamp filters that focus on the most recent data.
  • Warn on potential time range mistakes; for example, a choice of a DAY interval with a timestamp filter greater than "1 WEEK FROM" the current date prompts a warning message to consider using the WEEK interval instead.
  • Warn to drill down at a finer granularity when building a drilldown chart.
  • Warn when using a TO_DATE filter that a FROM_DATE should also be added to avoid processing unintended historical data.

Support ticket: No related support tickets.

New automation recipe to update Elasticsearch index

If new Elasticsearch indexes are added or existing indexes are modified, a new automation recipe, cm-es-index-upgrade.json, is available to update the index. This recipe takes no parameters. See Updating the Elasticsearch index on the Akana documentation site for detail.

Support ticket: No related support tickets.

Envision: UI forms now identify all required fields with an asterisk

Any required fields in an Envision UI form are now clearly marked with an asterisk (*).

Support ticket: No related support tickets.

Envision: Dashboard displays chart loading information

The Envision dashboard now displays loading animation while each chart loads to provide a visual cue of progress.

Support ticket: No related support tickets.

Envision: Ability to edit a chart without first previewing it

The ability to edit a chart without first running a preview has been added. This can avoid a wait when charts take a long time to load.

Support ticket: SUPPORT-2579, SUP-17954

Deprecations and Removals for 2020.2.0

Default Theme is removed with 2020.2.0

Default Theme was deprecated in 2020.1.0 and has now been removed from the UI. If you are using Default Theme, it will continue to work as before, but it is not supported. All customers using Default Theme should move to the Hermosa Theme, and migrate any customizations. For example, port header customizations according to Community Manager: Migration Guide and Community Manager: Detailed Customization Document. Other customizations should continue to work, but style customizations are likely to be required.

Support ticket: No support ticket

Simple Developer theme is deprecated

The Simple Developer theme (Simple Dev) is deprecated and will be removed in a future major release. A newer theme, Bonita, also has a streamlined UI and provides read-only access to API information.

Support ticket: No support ticket

NTLMv1 is deprecated

The authentication protocol NT LAN Manager version 1 (NTLMv1) is deprecated; the platform now suppports NTLMv2.

Support ticket: SUPPORT-37466

Bug Fixes: 2020.2.0

Community Manager required fields did not display an asterisk

In the Community Manager developer portal, mandatory fields in the API documentation's Schema section for Swagger and Open API documents now properly display an asterisk (*).

Support ticket: SUPPORT-35475

API Details page did not display operation details

The API Details page did not fully populate with operation details for some APIs.

Support ticket: SUPPORT-39524

Community Manager SSO login to Open Banking could experience errors when retrieving trusted CA certificates

Single sign-on (SSO) logging for UK Open Banking could fail to return the trusted CA certificate when the database contained a very large number of CA certificates.

In the Akana Administration Console, a new setting now provides control of the cache expiration interval allowed for trusted CA certificates, under Configuration > com.soa.subsystems > trusted.ca.cache.expireIntervalMillis. The default is 60,000 milliseconds, or one minute. It's recommended to increase the cache time to 5 to 10 minutes. Restart is not required for the configuration to take effect.

The SQL prepared statement used with all the possible context paths for the public certificates is rounded up to the nearest 100. The statement can be profiled based on the number of public certificates in the system. For example, for 620 or 667 public certificates, profile the SQL for 700.

Support ticket: SUPPORT-36496

Jetty setting context.manager.maxFormSize did not work for default value

The Jetty transport setting that controls the maximum number of bytes allowed in a form returned errors when the default value of 0 was set. A default of 0 should allow 200,000 bytes, but the request was instead erroneously rejected. This setting is accessed in the Akana Administration Console under com.soa.platform.jetty > context.manager.maxFormSize.

Support ticket: SUPPORT-34297

Next Hop URL missing for SOAP service failures

For a SOAP service failure when an HTTP error 500 Internal Server Error was returned, the Policy Manager usage logs contained an empty Next Hop URL field.

Support ticket: SUPPORT-34119

Defining a role in Policy Manager could display incorrect domains

The Policy Manager "Manage Role" function could display unsupported domains for selection in the "Within" dropdown (Policy Manager > Registry > Security tab > Manage Role). Now, only LDAP, Active Directory, or the local domain are displayed.

Support ticket: SUPPORT-37214, SUPPORT-37450

For OpenAPI 3.0 or Swagger 2.0, a complex, compound schema could display operation details incorrectly

When using OpenAPI 3.0 or Swagger 2.0, an API description document with complex, compound schemas containing keywords allOf, anyOf, or oneOf could result in a malformed display of operation details.

Support ticket: SUPPORT-38857

Network Director: Script execution allowed requests for unsupported script languages

Script execution is now validated at runtime against the engine types listed in com.soa.script.framework.properties in the Akana Administration Console for Network Director. If the script type is not found in the script.engine.manager.engines properties list, script execution will fail.

Support ticket: No related support tickets.

The Sign Up page could fail to load when images were enabled on login domains

When trying to open the Sign Up page by clicking the Create Account tab in the Community Manager developer portal, the page could fail to load and would display an error if images or logos were in use for any enabled login domains.

Support ticket: SUPPORT-36489

A vulnerability in the Akana Administration Console could result in an SSRF attack

A vulnerability was identified in the Akana Administration Console that could have resulted in a Server Side Request Forgery (SSRF) attack.

Support ticket: SUPPORT-37566

Network Director connections could hang in CLOSE_WAIT state

In certain scenarios, the connections on Network Director could hang in a CLOSE_WAIT state, resulting in socket timeout exceptions for the clients. The Jetty server upgrade has addressed this issue.

Support ticket: SUPPORT-35839, SUPPORT-32186, SUPPORT-36814

External OAuth Provider Domain: Documentation clarification re X.509 Certificate URL

In some cases, there were problems in accessing the X.509 certificate URL for the External OAuth Provider domain. The platform requests the certificate using a POST API call, and the X.509 certificate URL must support POST requests. The documentation has been updated to clarify this requirement (External OAuth Provider Access Token Validation page, Signing Keys field).

Support ticket: SUPPORT-21712

OpenAPI 3.0 API documentation could display invalid Content-Type

When using OpenAPI 3.0, the API documentation could display an invalid Content-Type in the request body when viewing the documentation via the APIs > My APIs > choose API > Documentation tab.

Support ticket: SUPPORT-38035

HTTP request smuggling vulnerability

A possible HTTP request smuggling vulnerability has been addressed by the Jetty server upgrade.

Support ticket: SUPPORT-28819

Jetty version has been upgraded to 9.4.31

The version of Jetty bundled with the Akana API Platform has been updated to 9.4.31.

Support ticket: SUPPORT-29284, SUPPORT-29395, SUPPORT-26187, SUPPORT-20513, SUPPORT-32186, SUPPORT-28819

UI enhancements to the API or App Details page

In the Community Manager developer portal, several enhancements have been made to the API Details and App Details pages for improved usability:

  • For the Bonita theme:
    • The left navigation bar Analytics entry on the API or App Details page now includes sub-menu entries Overview, Charts, Logs, and Licenses.
    • The Analytics section on the API Details page now provides access to license monitoring at APIs > My APIs > choose API > Analytics > Licenses.
  • On all themes on the API Details page, the Edit button has been moved into the API Description pane rather than above it.

Support ticket: No related support tickets.

Metrics API sometimes returning incorrect value

The Get Metrics API (GET /api/apis/versions/{APIVersionID}/metrics) was sometimes returning the wrong value for totalRequestSize and totalResponseSize.

Support ticket: SUPPORT-36498

RAML Parser upgraded from 0.8.7 to 0.8.40

The RAML Parser jar version has been upgraded from 0.8.7 to 0.8.40 to ensure proper API creation when importing a RAML file.

Support ticket: SUPPORT-37007

The "Comment on Ticket API" did not send notifications to the creator of a ticket

When adding a comment to a ticket using the Comment on Ticket API, POST /api/tickets/{TicketID}/comments, no notification was sent to the ticket creator. Notifications are now properly sent.

Support ticket: SUPPORT-34312

Invalid username could result in a security vulnerability

In some cases, an invalid username could be inserted into an LDAP query, resulting in an application exception and a subsequent LDAP injection vulnerability.

Support ticket: SUPPORT-2390, SUP-17764

Lifecycle Repository Runtime Configuration did not update extended metadata

When extensible metadata is enabled in the developer portal, the Lifecycle Repository Runtime Configuration did not always reflect updated metadata values for an API. Now asset properties are appropriately updated in the database before the Runtime Configuration is invoked.

Support ticket: SUPPORT-35841

Envision: Some data written to the database could alter the JSON response

In some cases, data written to a MongoDB database could include literal backslash escape characters, resulting in an alteration of the JSON response and a potential security threat. Now, all Envision APIs validate input appropriately before writing to the database. Any data out of spec returns an HTTP 400 Bad Request error.

Support ticket: SUPPORT-2384, SUP-17758, SUPPORT-2385

Deleting an organization produced an error when Lifecycle Repository was enabled

When Lifecycle Repository is installed and enabled, deleting an organization in Community Manager could fail.

Support ticket: SUPPORT-36083

UI upgrades to theme headers and footers

The header and footer logos in all themes have been updated for consistency. The DevOps theme header is now consistent with the Bonita theme.

Support ticket: No related support tickets.

Creating multiple APIs concurrently could result in deadlock

When creating multiple APIs concurrently, database deadlock could result in some cases. The possibility of database deadlocks has now been reduced.

Support ticket: No related support tickets.

Lifecycle Coordinator topology PUT method could fail

Invoking the PUT method for the TopologyAPI did not properly update the "topologyTenants" property in the table "INSTALLPROPS" for all tenants.

Support ticket: SUPPORT-20605