Akana API Platform Release Notes 2020.2.0

Elasticsearch Log Appender Plug-In has been replaced in 2020.2.17

The Akana Elasticsearch Log4J Appender Plug-In no longer works with releases after 2020.2.16 following the introduction of Log4J 2.x as the core logging framework in the Akana product. Because of this, a new off-the-shelf appender is now incorporated into the product. Users of the legacy Appender will need to migrate to the new configuration when upgrading. For detail, see "Configuring the Elasticsearch Log Appender (2020.2.17 and later)" on the Akana docs site.

Support ticket: No related support tickets.

Importing, then updating scripts could render the container unable to get updates

Importing scripts and then updating them could cause the container to stop reflecting updates.

Support ticket: SUPPORT-47037, SUPPORT-47963

Apache Log4j upgraded to Log4j 2

The Apache logging service Log4j has been updated from Log4j 1.x to Log4j 2.17.1 (which avoids the known security vulnerabilities CVE-2021-45105 and CVE-2021-45046). This version of Log4J is incompatible with the previous version and requires a change to the container startup configuration. Because of this, containers will need to be recreated, as updating a container "in place" is not supported. In addition, if you have customized logging in place, you'll also need to refactor your logging configuration. For migration and configuration information, see Migration to Log4j version 2.x on the Akana docs site.

Note that Log4j 2.x requires Elasticsearch version 7.16.2, now supported as of this release.

Support ticket: SUPPORT-47917

Elasticsearch 7.16.2 now supported

The platform has added support for 7.16.2 with this release.

Support ticket: SUPPORT-48956

New configurations can enforce a JCE provider for Jose V2

A new set of configurations provide the ability to enforce the JCE provider for the JOSE Security Policy v2, available in the Admin Console under com.akana.jose.config. There are four different configurations for each step in the JOSE policy: sign, verify, encrypt, and decrypt. For detail, see "Specifying the JCE provider" on the Akana documentation website.

Support ticket: SUPPORT-47537

Parallel calls to the Request Contract API could fail

Parallel calls to the Request Contract API (POST /api/contracts) could sporadically return an HTTP error "500 Internal Server Error."

Support ticket: SUPPORT-43418

Jose V2 signature verification could ignore the certificate expiration

The JOSE Security Policy v2 could allow a signature to be verified based on an expired certificate, in some cases.

Support ticket: SUPPORT-47289

In Policy Manager, internet restrictions could impact viewing policy details

Some policy configuration details did not display when access to the internet was restricted for the application.

Support ticket: SUPPORT-46233

Retrieving a token from Akana OAuth provider could fail with 404 in certain scenarios

When retrieving a token from an OAuth provider, the provider intermittently returned an HTTP 404 "Not Found" error.

Support ticket: SUPPORT-46998

Filtering Analytics logs or charts could return incorrect results in some cases

When filtering an API chart or transaction log on the API's Analytics page, incorrect results could be returned in some cases.

Support ticket: SUPPORT-45300

Listener certificates were not updating in Policy Manager

Containers created with HTTPS listeners using deployment automation could get into a condition in which the listener certificates could not be updated from Policy Manager. This was the result of the container registration logic persisting the original certificates in container metadata and overriding the updated configuration.

Support ticket: SUPPORT-41460

The Envision Metrics policy could calculate rollup data incorrectly in some cases

A logic error in the Metrics Policy could cause incorrect rollup aggregations when two events were recorded at the same time with identical dimensions.

Support ticket: No related support tickets.

New configuration to enforce a crypto provider for Jose V2

A new configuration provides the ability to enforce the crypto provider for the JOSE Security Policy v2, available in the Akana Administration Console under com.akana.jose > jose.v2.security.handler.factory.joseCryptoProvider. For detail, see "Specifying the JCE provider" on the Akana documentation website.

Support ticket: SUPPORT-45507

Importing an API from a zip file using OpenAPI 3.0 could fail on relative and example references

For an API based on OpenAPI 3.0 (OAS), importing an API from a zip file could return an error "The API definition could not be read." This was due to an issue with handling relative references and with example references not resolving, in some cases. Note that the server URL, if provided, must be absolute.

Support ticket: SUPPORT-42210

Nested schema references in Swagger documents were not resolving, in some cases

Nested schema references in Swagger documents were not being resolved in some cases, resulting in a "General System Error" on the API Details and Edit API Design pages.

Support ticket: SUPPORT-42210, SUPPORT-42292

New configuration property addresses a possible XSS vulnerability in file upload

To address a potential XSS vulnerability during file upload, the file media type can now be determined based on the internet media types (the mime.types file) which maps file types to unique file extension(s), and also by the file content itself. This is controlled by a new property in the Akana Administration Console, com.soa.atmosphere.config.useMimeTypesFile. To take advantage of this property, set it to true; the default is false. For detail, see Admin Console Settings on the Akana documentation site.

As part of this enhancement, the default value for the Query parameter on BoardAPI.getArtifact() and BoardAPI.getCommentArtifact() is now true, changed from false, meaning that the links to the file artifacts are now downloaded by default. For detail, see the documentation for GET /api/boards/items/{BoardItemID}/artifacts/{FileName} and GET /api/boards/items/comments/{CommentID}/artifacts/{FileName}.

Support ticket: SUPPORT-41131

Configuring a Network Directory/Gateway without Policy Manager could fail in some cases

The configuration of a Network Director/Gateway with only HTTPS listeners and without an available Policy Manager could fail because the Network Director would try to retrieve trusted certificates from Policy Manager. In this case, Network Director will now fall back on the bootstrap PKI configuration if Policy Manager is not available.

Support ticket: SUPPORT-45159

Public APIs did not display the API Overview page for anonymous users

Anonymous users, i.e., those not logged in, could not view the API Overview page for publicly visible APIs.

Support ticket: No related support tickets.

Hermosa theme now has descriptive search tooltips

The API search box in the Hermosa theme now has a descriptive tooltip for entering search tags, displayed when clicking in the search box. This tooltip is also available in the general search box in the filter on the search results page.

Support ticket: SUPPORT-43887

The Throughout Quota Policy could fail

The Throughput Quota Policy (a Quality of Service (QoS) policy) could return an error in certain circumstances.

Support ticket: SUPPORT-44992, SUPPORT-45018

Test Clients and documentation did not always display the Security button for APIs with the Aggregate Policy

In certain cases, the Security button for APIs using the Aggregate Policy could fail to display for Swagger documentation, OpenAPI documentation, API Test Client, and App Test client.

Support ticket: SUPPORT-44867

MongoDB index changes are no longer automatically dropped and recreated on update

MongoDB indexes on METRIC_ROLLUP_DATA and METRIC_RAW_DATA will not be automatically dropped and recreated on update. Instead, any intended index changes will be logged as an error; the MongoDB administrator will then have the responsibility to apply them as necessary.

Support ticket: No related support tickets.

New default script repository configuration

The configuration of the script repository has changed, with a new implementation based on a disk-overflow cache. This is now configured as the default, avoiding a potential deadlock that could occur when updating the script repository. The new implementation uses the following properties:

For detail, see "Script Repository Configuration" on the Akana docs site.

Support ticket: SUPPORT-36831, SUPPORT-44541, SUPPORT-44595

Database driver could fail to process a query when parameter markers exceeded 2,000

The jTDS database driver has a limitation of 2,000 parameter markers, so will fail to process a query if the markers exceed that number. This may be true of other database drivers, as well.

Support ticket: SUPPORT-43866

For MongoDB, a non-default database name could cause a problem with auditing

If a non-default authentication database name (other than the default name of "Akana") was used for MongoDB, auditing data was not persisted.

Support ticket: SUPPORT-44297, SUPPORT-44300, SUPPORT-44319, SUPPORT-44216

Setting API Default as request mediatype for an operation did not work as expected

API request payloads of content-type "application/json" were being transformed to XML before the request was sent downstream, if the request mediatype for the operation used API Default, and if the Default Media Types for the API were set to "Any in and out".

Support ticket: SUPPORT-45013, SUPPORT-43265

New workflow function supports a default role assignment to developer portal users using a specific login domain

A new workflow function, addRoleToUser, is available for custom workflow to modify the default platform behavior so that a new user, logging in for the first time with a specific login domain, is automatically assigned to a specific role.

Support ticket: SUPPORT-41444

For third-party documentation using iframes, the platform now handles session management

When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), the API platform now handles session management for third-party documentation that uses iframes. When the API documentation is displayed in an iframe, the iframe takes care of renewing the session. In addition, the third-party portal can handle the session before navigating to the iframe API document via a special page (which is provided in the customization samples or from Technical Support).

To take advantage of this, set the height and width of this new page to 0 so that the token is renewed in the background. Load this special page in an iframe in all pages except the API documentation's iframe.

Support ticket: SUPPORT-43303

Custom workflow can mark a third-party user a registered user at first login

Third-party domain users can be assigned a registered state when logging into the Community Manager for the first time via a new initial action @AllowMarkUserAsRegistered. This is implemented through a custom workflow and overrides the default behavior which first assigns a pending_validation state to external domain users. See @AllowMarkUserAsRegistered on the Akana documentation website for more information.

Support ticket: SUPPORT-43689

The jose.4.j library has been upgraded from 0.6.3 to 0.6.5

The jose.4.j library used on the platform has been upgraded from 0.6.3 to 0.6.5. The new version adds support for the RSASSA-PSS algorithm, necessary when PS256 is selected for digital signing.

Support ticket: SUPPORT-44157

Accessing individual transaction logs in the developer portal could fail

In the Community Manager developer portal, accessing the individual transaction log from Analytics > Logs could fail in some cases.

Support ticket: No related support tickets.

Regression could cause an exception when creating usage metrics

After an upgrade to 2020.2.7, a Java ConcurrentModificationException could occur when creating an API's usage metrics.

Support ticket: No related support tickets.

Password security updates from 2020.2.5 reinstated

Work related to the entry "General updates to strengthen password security" from the 2020.2.5 release was reverted in 2020.2.6, but has now been reinstated.

Support ticket: No related support tickets.

File download now available on an API's documentation page

In the Community Manager developer portal, an API's documentation page now features a download option so users can download the corresponding Interface Description Language file.

Support ticket: SUPPORT-43002

Search returns results for an API's summary and description

Community Manager developer portal search returns and displays results for both an API's summary and its description, given a keyword. Previously, only results based on an API's description were returned and displayed.

Support ticket: SUPPORT-40847

The Access button to create a contract between an API and an app can now be controlled according to user role

Site Admins can control whether the Access button to create a contract between an API and an app appears or not, by implementing a custom API workflow that uses a new workflow action @DisallowApiAccess.

Support ticket: SUPPORT-40443

Embedding API documentation in a third-party portal now supports non-library dependent version

When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), a non-library dependent design is now supported, for example, a design without use of JavaScript. Note that, in this case, the UI's display may be impacted, including scroll bars or a failure to display a loader message while API documentation is in progress.

Support ticket: No related support tickets.

For API descriptions using Markdown, the search returned Markdown syntax

When an API description used the Markdown language, the API Details and Overview pages processed the Markdown and displayed it correctly, but the search displayed the Markdown syntax without processing it. Now, the Markdown is converted to plain text and displayed in the search results. The API Details and Overview pages still display the processed Markdown.

Support ticket: SUPPORT-41836

URL-encoded certificate headers now supported by the HTTP Security Policy

The HTTP Security Policy enforcement handler now has the ability to consume URL-encoded certificate headers.

Support ticket: SUPPORT-43722

New configuration property now controls the RFC compliance level

A new configuration property has been added to the Akana Administration Console supporting the configuration of the RFC compliance level of the HTTP parser. This provides backwards compatibility with older versions of Jetty, and provides support for clients that are not compliant with the latest RFCs.

The new configuration property is com.soa.platform.jetty -> http.incoming.transport.config.compliance. For supported values, see "Configuring the security settings" on the page Configuring Compliance Modes for HTTP Parsing and Handling on the Akana documentation website.

Support ticket: SUPPORT-43722

API Consumer Application Security Policy now supports HMAC-SHA512

The API Consumer Application Security Policy has added support for cypher suite HMAC-SHA512, available as an option on the policy page. For more information, see "Configuring API Consumer Application Security Policy options" on the Akana documentation website.

Support ticket: SUPPORT-43228

Support added for new signing algorithms for OAuth provider PingFederate 10

For OAuth provider PingFederate 10.0.x, support has been added for the Private Key JWT and Request Object signing algorithms, available on an app's Details page by selecting OAuth Profile.

• Choosing Private Key JWT from the section "Choose from authentication options below" launches a dropdown "Private Key JWT Signing Algorithm" to select a signing algorithm that the client must use to sign the JWTs for client authentication.
• Choosing Required Signed Requests launches a dropdown to select the signing algorithm that the client must use to sign the request object.

Support ticket: SUPPORT-33433

Auth Token validity is now configurable

The Community Manager developer portal Auth Token validity is now configurable via the Active Login Session Timeout setting. If the Active Login Session Timeout is set to 0, then the Auth Token validity defaults to 30 minutes, as was the default before this update.

Support ticket: SUPPORT-43293

Security settings added to control CSRF defense when using the latest Chrome browser

The latest Chrome browser has changed the default setting it applies to the SameSite attribute, which defends against CSRF attacks. This was resulting in a failure to display API documentation inside an iframe from a third-party portal running on a domain other than the portal domain, in which case, an HTTP "401 Unauthorized" exception could occur.

To ensure the display of API documentation in this situation, there is a new setting on the Security Settings page (Admin > Settings > Security): set the Authentication CSRF Token Cookie Attribute - SameSite field to "None." An existing setting to control the Domain attribute, Authentication and CSRF Token Cookie Attribute - Domain, was also added to this page.

For more information, see "How do I configure settings for business security?" on the Akana documentation site.

Support ticket: No related support tickets.

For OpenAPI 3.0, parameters, request bodies, and responses can now contain examples

For an API based on OpenAPI 3.0 (OAS), its documentation now supports the inclusion of a full example, or multiple examples, for parameters, request bodies, or responses.

Support ticket: SUPPORT-41503

For the OpenID Connect Relying Party domain, default claim names were used instead of custom claim names

After configuring custom claim names in an OpenID Connect Relying Party domain in the Community Manager developer portal, default claim names were still used. Custom claim names are now used as expected, but any existing OpenID Connect Relying Party domains with claim names need to be saved for the changes to take effect. If, however, an existing OpenID Connect Relying Party domain, or one without custom claim names, is working without any issues, no action is required.

Support ticket: SUPPORT-41815

Some Swagger documents did not display correctly on the API Details and Designer pages

Swagger documents containing operations with responses of different content types did not display correctly on the API Details and API Designer pages.

Support ticket: SUPPORT-40901

Detailed auditing not capturing the request payload for platform services in certain scenarios

When the Detailed Auditing policy was attached to platform services (Community Manager APIs), the request payload was not captured in usage logs, in some cases.

Support ticket: SUPPORT-43093

Custom policies did not display when a PM Context path was not "/"

In Policy Manager, custom policies now work when the PM context path is something other than /. Previously, if the context path was not at root, the policies would not display correctly in the UI.

Support ticket: No related support tickets.

Updating an app's visibility could result in an error

In the Community Manager developer portal, changing an app's visibility from public to private could return an error if some public app settings were disabled.

Support ticket: SUPPORT-42717

For OAuth provider PingFederate, an app description was not properly added

When creating an app with PingFederate as the OAuth provider, the app description, i.e., the contents of the Description field under App OAuth Profile, was not added when syncing the ClientID to PingFederate.

Support ticket: SUP-12168, SUPPORT-1082

For an external keystore, issuer Distinguished Names with spaces could result in keystore certificates not being found

When using an external keystore, the certificate lookup mechanism did not handle issuer Distinguished Names (DNs) properly when matching against the keystore certificates, in which case issuer DNs with spaces could result in certificates not being found.

Support ticket: SUPPORT-41801

Files with disallowed file types could be uploaded to the portal if the filename was changed

A file with a content type that was not allowed for uploading to the developer portal could bypass this limitation if its name was changed.

Support ticket: SUPPORT-41553

Image quality could degrade after upload

After uploading an image to the Community Manager developer portal, the quality of the image was degraded in some cases.

Support ticket: SUPPORT-43183

With Oracle, API access failed when an API had many scopes and licenses

With an Oracle database, when a very large number of scopes and licenses were mapped to an API at the operation level, an API Access request failed with a SQL exception error.

Support ticket: No related support tickets.

Adding a new version to an API could fail

Adding a new version to an API with a descriptor could fail in some cases.

Support ticket: SUPPORT-41466

Elasticsearch could send unencrypted traffic in some cases

When the Elasticsearch sniffer feature was enabled, Elasticsearch could send unencrypted traffic on an HTTPS channel.

Support ticket: No related support tickets.

New user invitations were not returned in search results

New users invited to create an account in the Community Manager developer portal could fail to be listed under Admin > Users, due to a problem with Elasticsearch indexing.

Support ticket: SUPPORT-43158

API creation could fail when importing an OpenAPI 3.0 file with a circular reference

API creation was failing when importing an OpenAPI (OAS) file that had a circular reference to a schema, returning a "Recursion Depth Exceeded" exception.

Support ticket: SUPPORT-41462

Searching with "AND" limits the results appropriately

Searching APIs for keywords using "AND" returns only those APIs that have both elements present. Prior, a search using AND did not properly narrow the results, returning APIs with just one element present.

Support ticket: SUPPORT-40951

A regression could result in the Process Editor failing to display when the Policy Manager context path was not root

Due to a regression introduced in 2020.2.6, Process Editor display errors could occur in the Community Manager developer portal. When Policy Manager was running on a different context path than root ("/"), the Process Editor did not display on the API Details and API Implementation Details pages.

Support ticket: No related support tickets.

In Policy Manager, alert emails could return a SQL exception for Oracle

When an alert was generated from an Oracle database in Policy Manager and an email was sent to the configured user, a SQL exception could occur.

Support ticket: SUPPORT-26139

Calls between virtual services could fail in some cases

Calls between virtual services could fail if the normalized response contained invalid XML.

Support ticket: SUPPORT-42841, SUPPORT-42841

In Bonita theme, users without access could view the Analytics menu

The Analytics menu for an API was visible to users who did not have access to any Analytics functions; when clicked in the navigation bar, an HTTP error "401 Unauthorized" was returned. Now the Analytics menu displays only for authorized users, similar to Hermosa theme.

Support ticket: SUPPORT-40276

Multi-file import could fail to find a referenced object when adding a new API

When adding a new API in the Community Manager developer portal, fragment or local references (those without a complete file path) to other files of a ZIP were not resolving properly, producing an HTTP 500 Internal Server Error.

Support ticket: SUPPORT-42292

The Add App menu could return an error for non-admin users

In the Community Manager developer portal, selecting the Add App menu could intermittently fail for non-admin users, returning an HTTP 401 Unauthorized Error.

Support ticket: SUPPORT-43222

The PM.ALERTS table in a sharded Mongo cluster now uses an auto-generated value for its ID

In Policy Manager, the PM.ALERTS collection's _id now uses an auto-generated value, while still maintaining the sequence numeric value in the id field. This addresses an issue in which the Akana Alerts service could fail in a sharded Mongo environment if the _id column was selected as part of the shard key for the PM.ALERTS collection.

Note: In 2020.1.0, the _id field in PM.ALERTS was modified to use the numeric value from the Mongo auto-generated ObjectId value. This change has been reverted to use the Mongo auto-generated _id value.

Support ticket: No related support tickets.

Regression could cause an error when creating an app in the Community Manager developer portal

After an upgrade from 2019.1.7, an HTTP 401 Unauthorized Error could be returned for an app created by a non-admin user.

Support ticket: SUPPORT-42937

With CSRF enabled, some API policy and process pages did not load

In the Community Manager developer portal, some API policy and process pages were not loading if CSRF was enabled in the Akana Administration Console (when com.soa.console.csrf > org.owasp.csrfguard.Enabled was set to "true".)

Support ticket: SUPPORT-39230

Password security updates from 2020.2.5 reverted

Work related to the entry "General updates to strengthen password security" from the 2020.2.5 release has been reverted in this release due to regression that disallowed editing configurations for PIDs containing passwords. This issue will be addressed in a future release.

Support ticket: No related support tickets.

Filtering a search by tags is now supported

The search filters in the Community Manager Developer Portal now support searching by an API or app's tag.

Support ticket: SUPPORT-40632, SUPPORT-41146

Community Manager themes now support dynamic resizing on static pages

In the Community Manager developer portal, the height of static pages can now be resized dynamically when there are expand/collapse sections. This enhancement applies to these pages:

Hermosa theme:

• home/landing
• home/support
• API > Documentation

Simple Dev theme:

• welcome
• help
• documentation

Bonita theme:

• welcome
• help
• API > Documentation

Support ticket: SUPPORT-40842

Throughput Quota Policy could return inconsistent results

The Throughput Quota Policy (a Quality of Service (QoS) policy) could return inconsistent results, making it difficult to determine if the defined quota or queue size was being properly applied.

Support ticket: SUPPORT-42252

The HTTP Message Validation Policy could log unencoded special characters in error messages

Error messages produced by the HTTP Message Validation Policy could include unescaped or unencoded characters.

Support ticket: SUPPORT-36377

For the OpenID Connect Provider domain, some user data was displayed incorrectly at login

For the OpenID Connect Provider domain, the country code and phone number could be displayed incorrectly at login.

Support ticket: No related support tickets.

Regression when running some recipe scripts that include a property without a value

Some receipe scripts failed when updating a PID that included a property with no value, after an upgrade from 2020.1.5.

Support ticket: SUPPORT-42452

Envision: Startup error could occur that would require a restart of the container

The Envision container could require a restart at initial startup, due to the OSGi (Open Services Gateway initiative) framework bundle not initializing correctly.

Support ticket: No related support tickets.

API Details page was not displaying all properties for sample using "allOf"

The API Details page in the Community Manager Developer Portal was not displaying all sample properties when the allOf property was included in the schema definition.

Support ticket: SUPPORT-41583

General updates to strengthen password security

In addition to other updates, verification was performed to ensure that passwords are correctly defined as a "password" type to avoid them being treated like any other property.

Support ticket: No related support tickets.

Customization: When creating a new static page, customers can override the default post-login redirect behavior for the page

By default, with a few exceptions, if a user is on a page in the Community Manager developer portal and then logs in from that page, the user is taken back to the same page after login.

When creating a new static page, customers can now override this default login behavior so that if the user is on the static page, and then logs in, the user is taken to the Action Dashboard. For details and instructions, see Creating a New Static View in Hermosa Theme, with override of default redirect behavior.

Support ticket: SUPPORT-40635

Duplicate audit entries when Detailed Auditing and Business Metrics policies were both attached to an API

In a scenario where Envision was installed and the Detailed Auditing and Business Metrics policies were both attached to an API expecting a JSON response, there were duplicate entries in the request and response audit logs.

Support ticket: SUPPORT-42172

Obsolete jQuery versions have been removed

Obsolete jQuery libraries have been deleted from the product. The only distributed version is 3.4.1.

Support ticket: SUPPORT-31089

Ability to embed generated API documentation, including embedded Test Client, in a third-party portal

The generated API documentation currently displayed in the developer portal, either OpenAPI or Swagger, can now also be embedded in a third-party portal. If the generated API documentation includes the embedded Test Client functionality currently supported in the developer portal, embedded Test Client also works in the third-party portal.

Support for this feature includes a new library and a new working customization example in the customization ZIP file. If you do not have the customization ZIP file, ask Technical Support.

Authentication/authorization for the user's access to the API documentation from the third-party portal can be handled by the developer portal's SSO login functionality; for example, with SAML Web SSO or OpenID Connect.

Support ticket: SUPPORT-40315

The version was not displaying properly for APIs and apps on some pages

In the Community Manager developer portal, the version dropdown for APIs and apps was not clickable and the down arrow was not visible in some cases, so that multiple versions would not display. This occurred on the API Documentation page, the API Overview page, and the App details page.

Support ticket: SUPPORT-41168

When searching, tags associated with a resource now link to a list of all APIs, apps, or groups with that tag

When searching for APIs, apps, or groups, each entry in the search results includes a list of tags defined for that resource, if they exist. Each tag is now a hyperlink; clicking a tag in a search results entry returns a list of resources that use that tag. The list is specific to the type of resource. For example, on the All APIs page, clicking a tag in a search results entry gives a list of all APIs with that tag. To return a list of all resources that have a specific tag (APIs, apps, and groups), use the top general search bar.

Support ticket: SUPPORT-40634

New search scope capability for an API

The Community Manager developer portal has added support for selecting a search scope, available from the API's Manage Licensing page when "Enable Licensing for API" is selected.

Support ticket: SUPPORT-41169

Envision Demo Data plugin could fail to create charts and dashboards

The Akana Sample Datasets for Demo Charts plug-in, which provides a series of sample datasets for demo charts, could fail to create charts and dashboards, due to special characters in the description fields for these models.

A new configuration property has been added to the Akana Administration Console: analytics.validation.text.denylist under
com.soa.persistence.console. This configuration can allow or disallow special characters in the description field used in Analytics Manager.

Support ticket: No related support tickets.

Operation-level tags duplicated on API Details or Documentation pages

For operation-level tags, the tag name was used for both the name and description if no description was defined, resulting in the display of a duplicated tag name on the API Details and API Documentation pages. Now, just the name is displayed if there is no description.

Support ticket: SUPPORT-41166

The scrollbar on the API Overview page initialized incorrectly

In the Community Manager developer portal, the scrollbar on the API Overview page could initially appear in the middle of the page rather than at the top.

Support ticket: SUPPORT-41167

Creating a container using recipes could return an error

A timing issue during container startup intermittently caused the default certificate parameters to be unavailable when the container identity was generated, leading to an exception.

Support ticket: SUPPORT-37932

The version was not displaying properly for APIs and apps on some pages

In the Community Manager developer portal, the version dropdown for APIs and apps was not clickable in some cases, so that multiple versions would not display. This occurred on the API Documentation page, the API Overview page, and the App details page.

Support ticket: SUPPORT-41144

Login Entry Page customization did not launch the desired page

After customizing the Login Entry page to open a custom page rather than the default Action Dashboard, the Action Dashboard would still open.

Support ticket: SUPPORT-40876

For a null JSON property value, Elasticsearch indexing could fail

Elasticsearch indexing could fail when parsing a JSON object with a property value of JSONNull.

Support ticket: No related support tickets.

Searching in Community Manager could produce inconsistent results

When searching in the Community Manager developer portal using the top-level search box or the filter search box, the results could be inconsistent, depending on the order of keywords entered.

Support ticket: SUPPORT-40951

Importing a package could fail to add an included script

While importing a package into either Policy Manager or the Community Manager developer portal, if the package file included a script, sometimes the script did not get added and the service would not get deployed, resulting in an HTTP 404 "Not Found" error.

Support ticket: SUPPORT-39727

Setting a protocol header in a script activity in an operation process could fail

Adding a SOAP header using a script activity in an operation process failed, returning an HTTP 404 "Not Found" error.

Support ticket: SUPPORT-40865

Multiple, selected dashboard notifications can now be deleted at once

For a role with permissions to delete a notification, multiple dashboard notifications can now be deleted, either by selecting all or some, then selecting "Delete Checked."

Support ticket: SUP-10607, SUPPORT-40289

"APIs I'm Following" widget now available for inclusion on the Action Dashboard

A widget to display "APIs I'm Following" can now be added to the Community Manager developer portal's tenant Action Dashboard or any other page. Previously, this was found only under the My APIs page.

Support ticket: SUPPORT-40444

When searching, tags associated with a resource now link to a list of all APIs, apps, or groups with that tag

When searching for APIs, apps, or groups on their respective "details" pages, each returned entry includes a list of tags used for that resource, if they exist. These tags are now each hyperlinks, so that clicking on a tag returns a list of all APIs, apps, or groups with that tag.

Support ticket: SUPPORT-40634

In Policy Manager, real-time charts could fail to display

When configured behind a reverse proxy that terminates SSL (HTTPS), the real-time charts could fail to display.

Support ticket: SUPPORT-40188, SUPPORT-39230

Real-time charts could fail to populate a start and end date time when viewing data

In Policy Manager's Real-Time Charts, selecting the View Data button could fail to populate the start and end date and time, resulting in an intermittent failure to display the logs via the Logs tab.

Support ticket: SUPPORT-40247

Some Community Manager URLs with special characters could expose an XSS vulnerability

Due to the inclusion of some special characters, some URLs in the Community Manager developer portal could result in a Cross-Site Scripting (XSS) vulnerability.

Support ticket: SUPPORT-41131

Open Banking Client Authentication policy could fail on APIs deployed on Network Director

For an API deployed on Network Director, the Open Banking Client Authentication policy could fail to process requests.

Support ticket: SUPPORT-40881

Policy Manager displayed SQL error details at login if the database was unreachable

The Policy Manager login page could display the internal SQL query error if the database was unreachable. Now, a generic error message "General System Error. Please contact Administrator" is displayed if the database cannot be reached.

Support ticket: SUPPORT-40572

JOSE Security Policy using JWKS could expose class name in a returned error

A JOSE Security Policy v2, configured for JWKS but not enabled for UK Open Banking support, could expose the exception class in a returned error, for example, "..."faultstring":"Authentication error. com.soa.transport.http.HttpException: HTTP Error..."

This was a regression from a previous release. Now, a returned fault appropriately omits the class name, returning, for instance: {“faultcode”:“Server”, “faultstring”:“Authentication error. Internal Server Error “}.

Support ticket: SUPPORT-25000

Installing the Policy Manager Services feature did not install the HTTP Headers Injection policy handler bundle

The Policy Manager Services feature, which includes the Security Services feature, did not install the HTTP Headers Injection policy handler bundle unless the Akana Policy Manager Console feature was also installed. This resulted in the Http Header Injection policy not working in Policy Manager container with no Console feature installed. This policy is now installed with the Security Services feature.

Support ticket: No related support tickets.

Login with 2FA was failing when more than one delivery option was enabled

Two-factor authentication could fail when multiple delivery options are enabled in the workflow for receiving the authentication code, such as enabling both email and text messages.

Support ticket: No related support tickets.

The Contract API for an API Version intermittently failed

The Get Contract Versions API (http://docs.akana.com/cm/api/apis/m_apis_getContractVersions.htm) for an API version could fail, in some cases in which there are a large number of contracts.

Support ticket: SUPPORT-40739

API Overview page no longer displays the Endpoints section

In the Community Manager developer portal, the Endpoints section on the API Overview page has been removed.

Support ticket: SUPPORT-40340

Importing a Swagger or OpenAPI 3.0 document now updates the version

Importing a modified Swagger or OpenAPI 3.0 document using the API Designer Edit page did not update some parts of the document, specifically the info.version element. Support has been added for updating the API version if the info.version element in an updated design document changes.

Support ticket: SUPPORT-39972

The API Details page could display invalid characters in the schema for the request body

When importing an API into the Community Manager developer portal, a schema description containing special characters was displayed as invalid characters.

Support ticket: SUPPORT-40296

The Rhino javascript engine could result in script evaluation failures

An upgrade of the Rhino javascript engine resulted in intermittent script evaluation failures in which API calls could return an HTTP 404 "Not Found" error, along with error “java.lang.NoClassDefFoundError: org/mozilla/javascript/NativeJavaPackageHelper.”

Support ticket: SUPPORT-40978

An API's documentation page could report an error when displaying operations

For some Request body content-types, an API's documentation page, at API > Documentation, could fail to display operations when expanded, and report an error.

Support ticket: SUPPORT-40254

Schema installation for dropping a view failed with Microsoft SQL Server 2012

For Microsoft SQL Server 2012, when installing the Akana API Platform version 2019.1.22 or later, database schema installation for dropping a view could fail.

Support ticket: SUPPORT-40526

API Designer did not correctly display the Value or Sample field

On an API's Details > Design page, the Request body's "Value" field and the Response body's "Sample" field could fail to display for some compound schemas using Open API Specification 3.0 or Swagger 2.0. Support has been added for the field "Sample" for compound schemas in Swagger and Open API documentation.

Support ticket: SUPPORT-40257

The Customization link on Simple Dev and Bonita theme home page returned an error

The "How to Customize" link on the home page of the Community Manager developer portal for the Simple Dev and Bonita themes was broken. It now properly launches the "Detailed Customization Document" page on the Akana docs site.

Support ticket: SUPPORT-39977, Support-39977

Updates to the UI's API Implementations pages

Enhancements have been made to the UI, in particular to the API > Implementations pages, to clarify some functionality.

Support ticket: No related support tickets.

Compound schemas with cyclic references were not supported in the API Designer

Updates to the UI have been made to improve performance and to support compound schemas with cyclic references.

Support ticket: SUPPORT-40095

Some client certificates were rejected with SSL errors

The default SSL endpoint identification algorithm configured by Jetty9 caused a change in behavior during SSL handshakes for mutual authentication. This more stringent algorithm led to certain client certificates being rejected.

Support ticket: SUPPORT-40380

APIs with a large number of connections could not be deleted

For APIs with hundreds of connections (contracts to apps, in this case), deleting the API version could fail, exceeding the number of prepared statements or cursors allowed in the database per session.

Note that if deleting the API version fails for another reason, some or all contracts could still be canceled (although the contracts could be canceled in the usual way).

Support ticket: SUPPORT-40157

Deleting an LDAP user in Policy Manager could result in an error

When a user was deleted from an LDAP server in Policy Manager, if that user had also logged into Community Manager at some time prior, an error could occur. Now, deleting an LDAP user works as expected.

Support ticket: SUPPORT-29121, SUPPORT-3382, SUP-10427, SUP-15966, SUPPORT-1199, SUPPORT-38345, SUP-17739, SUP-18759, SUPPORT-38225

HTTP method could be returned as null

A concurrency issue in the Java DOM (Document Object Model) could lead to errors when reading data from WSDL documents in a multi-threaded environment. This was intermittently causing the HTTP method defined in the WSDL to be returned as null.

Support ticket: SUPPORT-22829, SUP-18551, SUP-18819, SUPPORT-3174, SUPPORT-3442, SUPPORT-23547, SUPPORT-23857, SUPPORT-24784, SUPPORT-27207, SUPPORT-27586, SUPPORT-34085, SUPPORT-39326, SUPPORT-22567, SUPPORT-22779, SUP-18551,SUPPORT-22779,SUPPORT-22567

Users with appropriate privileges could not access an API's discussions

In some cases, users with roles mapped with appropriate privileges were unable to create or view discussions on a private API.

Support ticket: SUPPORT-39976

Roles mapped to an LDAP group were ignored for a user in some cases

For users assigned to a group in LDAP, signing into the Community Manager developer portal could result in incorrectly assigned privileges that did not reflect the role to which the LDAP group was mapped.

Support ticket: SUPPORT-39971

User-defined roles are not taken into consideration in certain scenarios

In some cases, user-defined roles were not considered in regards to contract workflows.

Support ticket: SUPPORT-39952

The API Designer's Import and Cancel buttons could produce an error

For APIs created with JSON files that had a large number of operations, the API Designer's Import and Cancel buttons were sometimes unresponsive.

Support ticket: SUPPORT-39813

Customization files are no longer generated for all themes

When adding or modifying a theme, and saving the updates in the Site Settings page, the platform no longer automatically generates out-of-the-box customization files for all current themes.

Support ticket: No related support tickets.

Envision login could pose potential security risk on LDAP domain

When logging into the Envision Console on an LDAP domain, valid usernames could potentially be exposed through repeated logins. For example, if an invalid username was provided, the application returned "User <username> does not exist." Now a generic message "Invalid user credential" is returned in all cases.

Support ticket: SUPPORT-2387, SUP-17761

Lifecycle Repository extended properties can be configured as a single value or multiple values

For API, App and User extensible properties, Community Manager now supports the configuration of a single value or multiple values. A multi-value list can include free-form values added by the user.

Support ticket: No related support tickets.

Automation recipes enhanced with additional security configuration options

Out-of-the-box automation recipes have been enhanced to support various use cases configuring security across Akana containers.

Support ticket: SUPPORT-36354

MongoDB can now be configured for recovery jobs

When using the MongoDB Support plug-in to manage audit and metrics data, new options are available to configure recovery jobs. These options help avoid loss of metrics data and ensure data accuracy during a roll-up process. In the Akana Administration Console, these are available at Configuration > com.soa.persistence.mongodb:

Support ticket: No related support tickets.

Akana OAuth/OIDC Provider Domain adds support for PKCE

This release adds support for the optional PKCE security extension for OAuth, with the Authorization Code grant type. PKCE (Proof Key for Code Exchange) enhances security by adding an additional key with the authorization code request and again with the token request. For more details, see Akana OAuth/OIDC Provider Domain: Tab 2, Grant Types - Configuration Values on the Akana documentation site.

Support ticket: No related support tickets.

Configure data chunk size in MongoDB for improved resource management

Admins can now control the number of records for a Mongo MapReduce operation to avoid processing delays and meet SLA requirements if resources are tight or the amount of data is high. A new maxBatchSize configuration property is available in the Akana Administration Console at Configuration > com.soa.persistence.mongodb > persistence.mongodb.rollup.maxBatchSize. The default setting is 10,000.

Support ticket: No related support tickets.

New AllowListedCrossSiteScripting policy in Policy Manager

A new operational policy, AllowListedCrossSiteScripting, replaces the WhiteListedCrossSiteScripting policy in Policy Manager under Registry > Policies > Operational Policies > AllowListedCrossSiteScripting. Existing WhiteListedCrossSiteScripting policies will be retained.

Support ticket: No related support tickets.

Customization samples available to download from the Customizations page

A zip file of the customization samples is now available to download from the Customization page, accessed via More > Admin > Customization > Download Customization Samples.

Support ticket: No related support tickets.

Assign a policy at the operation level

Assigning a policy to a specific operation in an API implementation, rather than to the entire implementation, is now supported. See How do I assign policies to my API implementation? on the Akana documentation site. This functionality is also supported in the Test Client, both in the context of the Community Manager developer portal and when Test Client is embedded in authored API documentation.

This resulted in changes in the request and/or response to some existing operations that manage information about policies attached to an API.

Previously, these operations used the Policies model object, whether directly or nested within another model object. The Policies object includes an array of information about one or more policies attached to the service. These operations now use additional information, to accommodate policy attachments at the operation level in the developer portal and the APIs:

• Policy[ ]: An array of information about one or more policies attached to the service
• ApiOperationPolicy[ ] : An array of information about the operation and about one or more policies associated with it

Modified operations include:

ApiVersion:

• GET /versions/{ApiVersionID} (http://docs.akana.com/cm/api/apis/m_apis_getAPIVersion.htm)

• POST /{ApiID}/versions (http://docs.akana.com/cm/api/apis/m_apis_createAPIVersion.htm)

TargetAPI:

TargetAPI (field TargetAPI inside ApiVersion; see above)

APIImplementation:

• PUT /api/apis/versions/{ApiVersionID}/implementations/{ImplCode}/policies (http://docs.akana.com/cm/api/apis/m_apis_modifyAPIImplementationPolicies.htm)
• GET /api/apis/versions/{ApiVersionID}/implementations/{ImplCode}/policies (http://docs.akana.com/cm/api/apis/m_apis_getAPIImplementationPolicies.htm)

Support ticket: SUPPORT-36137, SUPPORT-3459

Get Contract Versions API supports pagination

The Get Contract Versions API, GET /api/apis/versions/{APIVersionID}/contracts), now supports pagination using start and count optional query parameters.

Support ticket: SUPPORT-35863

Bonita theme now includes an API Access Wizard

In Bonita theme, you can request access to APIs using the API Access Wizard, just as you can in Hermosa theme, available via an "Access" button on the API Details page.

Support ticket: No related support tickets.

Bonita theme adds support for authored documentation

In versions prior to 2020.2.0, Bonita theme supported viewing generated documentation in Swagger 2.0 and OAS 3.0, but not authored documentation. In version 2020.2.0, Bonita also supports viewing authored API documentation that has been uploaded, including all aspects of API documentation functionality. For more information, see Bonita theme: API functionality on the Akana documentation site.

Support ticket: No related support tickets.

Policy Manager Real Time Charts no longer use Adobe Flash

The Real Time Charts in Policy Manager no longer use the Adobe Flash Player, which Adobe stopped supporting on December 31, 2020. The new, improved versions display similarly to earlier, Flash-based charts.

Support ticket: No related support tickets.

Latency when querying MongoDB for service data

Filtering usage data by service has been improved by correcting the improper use of an index.

Support ticket: SUPPORT-34899

Support for Elasticsearch version 7.9.x

Support for Elasticsearch version 7.9.x has been added. Previous versions of Elasticsearch are incompatible with the API Platform, and support for the Elasticsearch Transport Client has been removed. Users must upgrade servers to Elasticsearch 7.9.x, as follows:

1. Upgrade Elasticsearch servers to use version 7.9.x.

2. Configure/Update REST Client URL (s) in:
Akana Administration Console > Configuration > "Configure Elasticsearch Global Configuration".

3. Delete the old indices by name or delete all indices using "_all":

curl -XDELETE 'http://<ES_HOST>:<ES_PORT>/_all'

4. Reindex all the objects:
Run the following query to reindex all the objects.

delete from INDEX_STATUS;

Support ticket: SUPPORT-32942, SUPPORT-33935

Envision: Exporting charts functionality has been removed

Exporting a chart as an image, previously available from several Envision dialogs, has been removed to avoid potential security issues.

Support ticket: SUPPORT-2383, SUP-17757

Search capability added to the Policies page for an organization

On the Policies page, accessed in the Community Manager portal via Organizations List > choose an organization, search tools are now available to help locate a policy.

Support ticket: No related support tickets.

Policy Manager: Dependency Map has been removed

Policy Manager's Dependency Map has been removed from the UI, previously available at Services > Monitoring > Dependencies.

Support ticket: No related support tickets.

Process Editor now available from API Details page

The Process Editor, previously accessed only via the API > Implementations page, is now available from the API Details page. To open it, choose API > Details > Design section > specific operation, Actions drop-down; then select Edit Live Process or Edit Sandbox Process.

Support ticket: No related support tickets.

JRE version security patch updated

The JRE version 1.8 has been updated with the latest security patch, version 8u265.

Support ticket: No related support tickets.

New SMTP task sets SMTP properties

A new Akana Administration Console task, "Configure SMTP server settings for email sending," sets SMTP properties via automation recipes. To run the task in automation, use the recipe file tasks/smtp-settings.json.

Support ticket: SUPPORT-33864

Envision: Chart creation now features UI guidance on filters that could improve analytics performance

When creating charts in Envision, certain selections can negatively impact analytics performance; for example, filtering by an unnecessarily broad time range would result in long loading times that present undesired data.

Envision chart creation has now been enhanced to:

• Set default timestamp filters that focus on the most recent data.
• Warn on potential time range mistakes; for example, a choice of a DAY interval with a timestamp filter greater than "1 WEEK FROM" the current date prompts a warning message to consider using the WEEK interval instead.
• Warn to drill down at a finer granularity when building a drilldown chart.
• Warn when using a TO_DATE filter that a FROM_DATE should also be added to avoid processing unintended historical data.

Support ticket: No related support tickets.

New automation recipe to update Elasticsearch index

If new Elasticsearch indexes are added or existing indexes are modified, a new automation recipe, cm-es-index-upgrade.json, is available to update the index. This recipe takes no parameters. See Updating the Elasticsearch index on the Akana documentation site for detail.

Support ticket: No related support tickets.

Envision: UI forms now identify all required fields with an asterisk

Any required fields in an Envision UI form are now clearly marked with an asterisk (*).

Support ticket: No related support tickets.

Envision: Dashboard displays chart loading information

The Envision dashboard now displays loading animation while each chart loads to provide a visual cue of progress.

Support ticket: No related support tickets.

Envision: Ability to edit a chart without first previewing it

The ability to edit a chart without first running a preview has been added. This can avoid a wait when charts take a long time to load.

Support ticket: SUPPORT-2579, SUP-17954

Community Manager required fields did not display an asterisk

In the Community Manager developer portal, mandatory fields in the API documentation's Schema section for Swagger and Open API documents now properly display an asterisk (*).

Support ticket: SUPPORT-35475

API Details page did not display operation details

The API Details page did not fully populate with operation details for some APIs.

Support ticket: SUPPORT-39524

Community Manager SSO login to Open Banking could experience errors when retrieving trusted CA certificates

Single sign-on (SSO) logging for UK Open Banking could fail to return the trusted CA certificate when the database contained a very large number of CA certificates.

In the Akana Administration Console, a new setting now provides control of the cache expiration interval allowed for trusted CA certificates, under Configuration > com.soa.subsystems > trusted.ca.cache.expireIntervalMillis. The default is 60,000 milliseconds, or one minute. It's recommended to increase the cache time to 5 to 10 minutes. Restart is not required for the configuration to take effect.

The SQL prepared statement used with all the possible context paths for the public certificates is rounded up to the nearest 100. The statement can be profiled based on the number of public certificates in the system. For example, for 620 or 667 public certificates, profile the SQL for 700.

Support ticket: SUPPORT-36496

Jetty setting context.manager.maxFormSize did not work for default value

The Jetty transport setting that controls the maximum number of bytes allowed in a form returned errors when the default value of 0 was set. A default of 0 should allow 200,000 bytes, but the request was instead erroneously rejected. This setting is accessed in the Akana Administration Console under com.soa.platform.jetty > context.manager.maxFormSize.

Support ticket: SUPPORT-34297

Next Hop URL missing for SOAP service failures

For a SOAP service failure when an HTTP error 500 Internal Server Error was returned, the Policy Manager usage logs contained an empty Next Hop URL field.

Support ticket: SUPPORT-34119

Defining a role in Policy Manager could display incorrect domains

The Policy Manager "Manage Role" function could display unsupported domains for selection in the "Within" dropdown (Policy Manager > Registry > Security tab > Manage Role). Now, only LDAP, Active Directory, or the local domain are displayed.

Support ticket: SUPPORT-37214, SUPPORT-37450

For OpenAPI 3.0 or Swagger 2.0, a complex, compound schema could display operation details incorrectly

When using OpenAPI 3.0 or Swagger 2.0, an API description document with complex, compound schemas containing keywords allOf, anyOf, or oneOf could result in a malformed display of operation details.

Support ticket: SUPPORT-38857

Network Director: Script execution allowed requests for unsupported script languages

Script execution is now validated at runtime against the engine types listed in com.soa.script.framework.properties in the Akana Administration Console for Network Director. If the script type is not found in the script.engine.manager.engines properties list, script execution will fail.

Support ticket: No related support tickets.

The Sign Up page could fail to load when images were enabled on login domains

When trying to open the Sign Up page by clicking the Create Account tab in the Community Manager developer portal, the page could fail to load and would display an error if images or logos were in use for any enabled login domains.

Support ticket: SUPPORT-36489

A vulnerability in the Akana Administration Console could result in an SSRF attack

A vulnerability was identified in the Akana Administration Console that could have resulted in a Server Side Request Forgery (SSRF) attack.

Support ticket: SUPPORT-37566

Network Director connections could hang in CLOSE_WAIT state

In certain scenarios, the connections on Network Director could hang in a CLOSE_WAIT state, resulting in socket timeout exceptions for the clients. The Jetty server upgrade has addressed this issue.

Support ticket: SUPPORT-35839, SUPPORT-32186, SUPPORT-36814

External OAuth Provider Domain: Documentation clarification re X.509 Certificate URL

In some cases, there were problems in accessing the X.509 certificate URL for the External OAuth Provider domain. The platform requests the certificate using a POST API call, and the X.509 certificate URL must support POST requests. The documentation has been updated to clarify this requirement (External OAuth Provider Access Token Validation page, Signing Keys field).

Support ticket: SUPPORT-21712

OpenAPI 3.0 API documentation could display invalid Content-Type

When using OpenAPI 3.0, the API documentation could display an invalid Content-Type in the request body when viewing the documentation via the APIs > My APIs > choose API > Documentation tab.

Support ticket: SUPPORT-38035

HTTP request smuggling vulnerability

A possible HTTP request smuggling vulnerability has been addressed by the Jetty server upgrade.

Support ticket: SUPPORT-28819

Jetty version has been upgraded to 9.4.31

The version of Jetty bundled with the Akana API Platform has been updated to 9.4.31.

Support ticket: SUPPORT-29284, SUPPORT-29395, SUPPORT-26187, SUPPORT-20513, SUPPORT-32186, SUPPORT-28819

UI enhancements to the API or App Details page

In the Community Manager developer portal, several enhancements have been made to the API Details and App Details pages for improved usability:

• For the Bonita theme:
  • The left navigation bar Analytics entry on the API or App Details page now includes sub-menu entries Overview, Charts, Logs, and Licenses.
  • The Analytics section on the API Details page now provides access to license monitoring at APIs > My APIs > choose API > Analytics > Licenses.
• On all themes on the API Details page, the Edit button has been moved into the API Description pane rather than above it.

Support ticket: No related support tickets.

Metrics API sometimes returning incorrect value

The Get Metrics API (GET /api/apis/versions/{APIVersionID}/metrics) was sometimes returning the wrong value for totalRequestSize and totalResponseSize.

Support ticket: SUPPORT-36498

RAML Parser upgraded from 0.8.7 to 0.8.40

The RAML Parser jar version has been upgraded from 0.8.7 to 0.8.40 to ensure proper API creation when importing a RAML file.

Support ticket: SUPPORT-37007

The "Comment on Ticket API" did not send notifications to the creator of a ticket

When adding a comment to a ticket using the Comment on Ticket API, POST /api/tickets/{TicketID}/comments, no notification was sent to the ticket creator. Notifications are now properly sent.

Support ticket: SUPPORT-34312

Invalid username could result in a security vulnerability

In some cases, an invalid username could be inserted into an LDAP query, resulting in an application exception and a subsequent LDAP injection vulnerability.

Support ticket: SUPPORT-2390, SUP-17764

Lifecycle Repository Runtime Configuration did not update extended metadata

When extensible metadata is enabled in the developer portal, the Lifecycle Repository Runtime Configuration did not always reflect updated metadata values for an API. Now asset properties are appropriately updated in the database before the Runtime Configuration is invoked.

Support ticket: SUPPORT-35841

Envision: Some data written to the database could alter the JSON response

In some cases, data written to a MongoDB database could include literal backslash escape characters, resulting in an alteration of the JSON response and a potential security threat. Now, all Envision APIs validate input appropriately before writing to the database. Any data out of spec returns an HTTP 400 Bad Request error.

Support ticket: SUPPORT-2384, SUP-17758, SUPPORT-2385

Deleting an organization produced an error when Lifecycle Repository was enabled

When Lifecycle Repository is installed and enabled, deleting an organization in Community Manager could fail.

Support ticket: SUPPORT-36083

UI upgrades to theme headers and footers

The header and footer logos in all themes have been updated for consistency. The DevOps theme header is now consistent with the Bonita theme.

Support ticket: No related support tickets.

Creating multiple APIs concurrently could result in deadlock

When creating multiple APIs concurrently, database deadlock could result in some cases. The possibility of database deadlocks has now been reduced.

Support ticket: No related support tickets.

Lifecycle Coordinator topology PUT method could fail

Invoking the PUT method for the TopologyAPI did not properly update the "topologyTenants" property in the table "INSTALLPROPS" for all tenants.

Support ticket: SUPPORT-20605

New option regarding disallowed properties for the HTTP Message Validation policy

The HTTP Message Validation policy has a new option "Log additional properties" to generate an alert when the request contains properties disallowed by the schema. When enabled, the alert is generated. The default is disabled.

Support ticket: SUPPORT-35453

Network Director containers do not need restarting when the Policy Manager domain certificate is updated

When the Policy Manager domain certificate is updated, there is no need to restart Network Director containers to update the certificate information.

Support ticket: SUPPORT-32450

The JOSE Security Policy v2 Appendix F option enforces Base64URL encoding

The JOSE Security Policy's Appendix F option now enforces a Base64URL encoding on the payload when signing, as defined in the Appendix F (Detached Content) section of the JWS specification (RFC-7515).

Support ticket: No related support tickets.

Envision: Improved performance on MongoDB for roll-up datasets

The Analytics aggregation collection primary key storage in MongoDB has been optimized to reduce RAM requirements for efficient charting and aggregation queries. This is evident when creating new datasets in Envision.

Support ticket: No related support tickets.

Deployment automation improvements

Various enhancements have been made to the recipes that automate deployment, including:

• System properties can now be passed to the target container using the "--D" option.
• A recipe path can now be specified to facilitate the use of multiple repositories, using a new command line option "--path".
• The add-local-listener recipe now accepts a boolean DEFAULT_BIND_ALL property indicating whether the listener should bind to all interfaces. The default is false.
• Any properties defined as PASSWORD type will no longer be logged.
• The hardening-cm.json recipe has a new property xFrameOptions":"${XFRAMEOPTIONS|SAMEORIGIN} to control how a browser is allowed to render a page.
• New recipes to unregister or re-register a container are available: unregister-container.json and register-container.json.
• A custom JAVA_HOME environment variable can now be set.

Support ticket: No related support tickets.

Elasticsearch sniffer feature is now configurable

A new property has been added under the Akana Administration Console Configuration tab to allow the configuration of the Elasticsearch sniffer feature, which automatically discovers nodes. The property is elastic.client.useSniffer under com.akana.es.client.security. The default setting is true.

Support ticket: No related support tickets.

The DevOps theme now supports LDAP and Active Directory for login

The DevOps theme for Lifecycle Coordinator has added support for LDAP and Active Directory login accounts.

Support ticket: No related support tickets.

A link to a non-existent landing page now returns an HTTP 404 error

Links to a non-existent landing page display an HTTP 404 "Page not found" rather than a blank page.

Support ticket: SUP-9733, SUPPORT-1040

Supported added for "claims" parameter for OpenID Connect

The Akana OAuth/OIDC Provider domain now supports the "claims" request parameter. For detail, see the relevant RFC at https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter.

Support ticket: SUPPORT-29833

Database tables updated to accommodate additional metrics on header length

Updates and enhancements have been made to the database tables MO_USAGEDATA, MO_USAGE_NEXTHOP, MO_ROLLUP, and *MO_ROLLUPDATA to include the length of the message header:

Support ticket: No related support tickets.

Only a subset of the platform's settings is available before user login

Because the API GET /resources/{ResourceVersionKey}/settings can be called before user login, the settings it can return have been limited to:

• FedMembers
• LoginDomains
• Challenges
• PasswordPolicy

A new api, getPostLoginSettings (GET /resources/v2/{ResourceVersionKey}/settings), returns all the tenant's settings and requires that the user be logged in.

Support ticket: No related support tickets.

Login pages rebranded

Login pages for the Akana Administration Console and Policy Manager have been rebranded.

Support ticket: No related support tickets.

New APIs now control the My Dashboard Watchlist

A series of new APIs have been added to the platform to control a user's list of "Top APIs" maintained in the new My Dashboard feature. These APIs are part of the Users service and add, delete or return information on the APIs in this list:

• Add an API to the list: POST /api/users/{UserID}/topapis
• Delete an API from the list: DELETE /api/users/{UserID}/topapis/{APIID}
• Return information on a user's list of APIs: GET /api/users/{UserID}/topapis
• Return metrics for the APIs on the list: GET /api/users/{UserID}/mydashboard

For detail, see the list of Users service APIs at Users Service: Overview.

Support ticket: No related support tickets.

Admin menu enhancements

The Admin menu in the developer portal (under More > Admin) has been reorganized for better usability. This includes flattening the left Admin menu to make various elements more accessible. For example, Country Codes is now a top-level entry, and Custom Styles has been renamed “Customization” and moved up from the Config menu.

Support ticket: No related support tickets.

Performance improvements when batch writing usage data

Usage monitoring now uses data size queues when batch writing usage data, reducing the likelihood of out-of-memory conditions. Prior to this change, monitoring usage data was based on queue size. The properties on com.soa.monitor.usage have changed as follows:

Support ticket: No related support tickets.

New options available when creating theme customizations

In previous versions, when customizing files, users needed to create an exact folder structure within the developer portal, in File Explorer, and create and upload the customization files.

Now, two new options provide a theme-specific set of starter files for customization:

• Generate customization files—Generates a set of files for the specified theme.
• Download customization files—Downloads a ZIP file of the customization files for the specified theme. Users can then customize the files offline and upload the updated files.

The page has been renamed and is now on the top-level Admin menu:

• Previous navigation: More > Admin > Config > Custom Styles
• New navigation: More > Admin > Customization

In addition, users can provision all starter customization files in one action by going to the Site Settings page and adding a new theme.

Note: If customization files are already in place, they are not overwritten.

For detail, see What functions are available to the Site Administrator on the Customization page? on the Akana docs site.

Support ticket: No related support tickets.

Network Director: Asynchronous error messages processing could be slow

For batch messages processed asynchronously, reply message processing could experience a slowdown with overhead limit errors. This could occur when configuration limits were reached, which would result in connections being closed. The behavior has been changed to reduce the likelihood that connections will be closed unnecessarily.

Support ticket: SUPPORT-26089, SUPPORT-27740

Sign Up page doesn't pre-select security questions

The platform's Sign Up page for new accounts has updated the security questions section to add a "Select" option so the user can choose security questions, rather than having the page pre-select security questions.

Support ticket: No related support tickets.

Site Admins can manage country codes from new Country Codes page

A new Country Codes page in Admin > Country Codes allows Site Admins to manage the visibility of country codes on Signup, User Profile, and Create User pages. For detail, see Country Codes on the Akana docs site.

Support ticket: No related support tickets.

Rhino JavaScript updated to latest version

The Rhino JavaScript engine has been updated to the latest version, 1.7.12.

Support ticket: SUPPORT-29942

MongoDB now stores audit data (header and payload) separately, resulting in performance improvements

For MongoDB, usage info (headers) and usage messages (payload) are now stored separately, to decrease memory load in Network Director and improve performance.

A new MongoDB collection PM_AUDIT.AUDIT_MSG stores usage messages distinct from the existing collection PM_AUDIT.AUDIT used for usage Info. In addition, the existing index AUDIT_2AIdx on PM_AUDIT.AUDIT has been modified to have a unique restriction with a shard key prefix, for example:

> use PM_AUDIT;

> db.AUDIT.createIndex( { "containerKey" : 1, "eventId" : 1 },     

         { "name": "AUDIT_2AIdx", "unique" : true, "background": true } )

You may have to update your scripts if you are retrieving Auditing Service Policy data directly from MongoDB.

Support ticket: No related support tickets.

Support for setting an API's visibility when creating an API

When creating an API, its visibility can now be specified under the Add API screen's Advanced Options section.

Support ticket: SUPPORT-1789, SUP-17137

Trusted CA services enhanced

Trusted CA services have been enhanced to support expiration dates for certificates and to allow their removal.

Support ticket: SUP-1279, SUPPORT-1001

Keyword search did not return entries for an API description

In some cases, a keyword search did not return entries from an API's Swagger description. Now, a document's descriptor tags are added to an API's tags when adding an API in the developer portal.

Support ticket: SUP-13385, SUP-15048, SUPPORT-1097, SUPPORT-1146

Community Manager installation includes Default and Hermosa themes by default

Installing Community Manager now installs both Hermosa and Default themes, so they no longer need to be installed separately. (Note, however, that Default Theme is deprecated with the 2020.1.0 release and will be removed completely in a later version.)

Support ticket: No related support tickets.

Control the display of QoS policies defined in the tenant

By default, QoS (Quality of Service) policies defined in a tenant are displayed in the API Access wizard when an app/API contract is requested. If you don't want the app developer to see these policies, disable this setting on the More > Settings > Apps page by deselecting the item "Show policies on API Access wizard."

Support ticket: SUP-12957, SUPPORT-1092

Improved Network Director startup time

Performance enhancements have been made to improve Network Director startup times.

Support ticket: No related support tickets.

Authored API documentation supports adding links to download a file

To allow users to download files via authored API documentation, add a new class attribute soa-control-cm-inline-do-not-process-link to the HTML <a> tag. A link with this class attribute is not processed to remove the link. See API Documentation Maintenance on the Akana docs site.

For example:

<a class="soa-control-cm-inline-do-not-process-link" href="./file-download.xlsx?download=true" target="_blank">Download Spreadsheet</a>

Support ticket: SUP-10706, SUPPORT-1052

API version workflow can now automatically connect apps when a new API version is created

Apps contracted to an API are automatically connected to a new API version, using the API version workflow's pre-function connectAppsFromPreviousVersion. To take advantage of this feature, add the function to your workflow. For detail, see API Version Workflow, "connectAppsFromPreviousVersion."

Support ticket: SUPPORT-17097

Specifying an API version ID when adding an API version now returns an error

When adding an API version using the API POST /api/apis/{APIID}/versions, passing in an API version ID is not allowed and will return an HTTP "400 Bad Request" error. Previously, the version ID was ignored, but did not return an error.

Support ticket: SUP-12292