Update 2022.1.2.10
Upgrading Akana API Platform to Version 2020.1.x, 2020.2.x, or 2022.1.x
It's recommended to create indexes before upgrading to 2020.2.x.
If you have UI customizations, rebuild styles after upgrade (Admin > Customization > Rebuild Styles), then test your customizations.
Date/release version |
Changes |
December 4, 2023 2022.1.2 |
Added entries for 2022.1.2.8, a cumulative update including all other updates. |
January 17, 2024 Update 2022.1.2.8 |
Updated entry Combining some policies and configurations could fail to log the response body. |
Note: Each update is cumulative and includes all updates provided in earlier 2022.1.2 updates.
April 18, 2024
To address CVE 2024-2796, Akana has introduced the following security measures:
In addition, users are strongly advised to review the security settings for Akana deployments discussed in the Platform Hardening Guide, specifically the settings that prevent forward proxy to protect cloud-based Akana deployments and hardening settings.
Case number: No related case number
For "trace" logging or errors that may occur between the Network Director and Policy Manager, logging entries have been encrypted that might pose a security risk, including all sensitive information.
Prior to this update, the entire request and response XML were printed with and without encryption when the log level was "trace" or when an error was thrown.
Case number: No related case number
Akana adds support for using AWS Identity and Access Management (IAM) authentication tokens when accessing Amazon RDS (Relational Database Service) instances. When the IAM feature is enabled on the Amazon RDS instance, Akana communicates with the RDS instance using the IAM token instead of traditional database credentials. Akana has certified this feature with MySQL and Aurora MySQL-compatible databases.
Case number: 01049614
The logs for a container sometimes contained duplicate entries, or the millisecond (ms) timestamp could be incorrect.
Case number: 00970405
When the Amazon RDS (Relational Database Service) is configured to use IAM (Identity and Access Management), some functionality is not available:
com.soa.monitor.usage > usage.local.writer.enabled > true
February 26, 2024
Automatic resource caching (resources being all static and other resources in a container, including users, groups, APIs, apps, board items, etc.) can now be configured to avoid circumstances in which a very large cache can result in poor performance while refreshing.
Use the new Admin console property atmosphere.config.staticVisibilityRelationshipCacheInDays within the com.soa.atmosphere configuration to set both the number of previous days to refresh and the frequency of the job.
Case number: No related case number
The analytics logs filter "Status Code" included only standard error codes. Now, non-standard error codes have been added for cases in which other error codes are used; for example, 555, 556, and 557 are now available in the filter.
Case number: 01062506
The Basic Auditing Policy did not properly display "Verb" and "Status" as well as "partial request" and "partial response."
Case number: 00969635
The OpenID Connect Relying Party Domain now allows the option to configure additional parameters and to send them in the /api/login/ssoLogin call.
In addition, using Oracle Access Manager as the OIDC domain for single signon is now supported. For detail, see “OpenID Connect Support” on the Akana documentation website.
Case number: 01002120
When using Okta as an external OAuth provider, the "audience" field was not being passed properly, resulting in a general system error.
Case number: 00991749
When configuring the Test Client with security settings, one or more header parameters can now be added, both for internal and external OAuth providers.
Case number: 00678067
The Akana platform has added certification for Oracle 23c.
Due to some limitations with Oracle 23c, however, it is not yet certified with Lifecycle Coordinator, Lifecycle Manager, and Lifecycle Repository, which includes Promotions and Custom Properties.
Case number: No related case number
In the Community Manager developer portal, the display of an API's logs would repeatedly return to the top of the screen when viewing a log's expanded detail.
Case number: 01057294
In the Community Manager Developer Portal, deleting an API did not correctly decrement the number of apps displayed under "APIs Connected" on the My Apps page.
Case number: No related case number
When creating a shared secret for an app in the Community Manager portal, the secret could be saved in an unreadable format if it contained special characters.
Case number: 00900221
When configured with the "Fail Early" setting, the HTTP Message Validation policy failed to validate the message value against oneOf, allOf, or anyOf subschemas.
Case number: 01022402
After upgrading to 2022.1.2, some SQL queries could take more than 30 seconds during the provisioning part of installation.
Case number: 01031006
December 5, 2023
When using the Concurrency Quota Policy with any other policy that validates a response, a validation failure resulted in an unrecoverable state.
Case number: 00987844
When updating the context path of an API, the Developer Portal automatically updates the WSDL port name for that API. If an application has already set the WSDL port name, this automatic update could change the port name and therefore result in a failure to consume the API. Now, the portal checks if a WSDL port name already exists; if so, it is not updated.
Case number: 00947521
When configuring the Detailed Auditing Policy for failure and the Basic Auditing Policy for success, and then sending the request for any API, the response body was logged on successful transactions.
Case number: 01024495
SOAP services returned an HTTP 404 error "File not found" when "Bind to all interfaces" was not selected on API Gateway listeners. Now, a SOAP service works even when unchecking "Bind to all interfaces."
Case number: No related case number
November 1, 2023
Note: These fixes have also been provided with 2022.1.2.3
When new certificates were added to Policy Manager, Network Director could become unresponsive, resulting in the failure of some requests.
Case number: 00831818
Calling the API Revoke Token to revoke an existing OAuth token could return an error if the "Encrypt JWT Access Token" option under Akana OAuth/OIDC Provider settings was enabled.
Case number: 00925204
June 30, 2023
The following index fields have been added to Log4j 2.x Elasticsearch appender:
Case number: No related case number
Support ticket: No related support tickets.
When configuring a signing key using HSM (hardware security module) as an external keystore, generation of the OAuth provider access token could fail in some situations.
Case number: 00921624
Support ticket: No related support tickets.
June 8, 2023
Note: This issue also shipped with 2022.1.3.
When signing in using an external keystore and an alias, the UI incorrectly required a password, causing the login to fail.
Case number: No related case number
May 31, 2023
When the environment was configured to use an external keystore, assigning a user alias in the Manage PKI Keys Wizard could fail.
Case number: No related case number
Support ticket: No related support tickets.
May 19, 2023
A custom JOSE Profile-Driven Security policy could fail to find a private key to decrypt a request when using this type of configuration:
<amz:jwsSource getPrivateKeyViaCert="true"> <amz:fromJwkSet filterByUse="true" jwksUrl="${jwks.url}" selectNewest="true" /> </amz:jwsSource>
Case number: 00902251
Support ticket: No related support tickets.
May 5, 2023
Editing an API in Community Manager that was based on a service created in Policy Manager could return an error "General system error. Contact system administrator."
Case number: 00902274
Support ticket: No related support tickets.
May 9, 2023
When using an external keystore, such as Entrust HSM, a validation error could be returned regarding public certificates.
Case number: No related case number
Support ticket: No related support tickets.
April 17, 2023
This release adds support for AWS CloudHSM (hardware security module). CloudHSM support includes management of identities and certificates via APIs:
APIs that assign PKI keys:
APIs that manage certificates:
When the crit header is missing, the JOSE Security v2 policy will respond with the HTTP response status code "401 Unauthorized" and the message "Authentication error. crit header is missing."
In addition, the changes below apply to both Detached Non-OpenBanking and Non-Detached Non-OpenBanking scenarios:
Case number: 00634481
Support ticket: SUPPORT-45684
Creating MongoDB indices now uses asynchronous APIs to improve performance and avoid situations in which execution could be blocked. Additional log statements have been added to monitor the status of index creation, including "Creating index [index_name]," "Created index [index_name]," and "Index creation failed for [indexName]."
Support ticket: No related support tickets.
Support has been added to support TLS connections with the Elasticsearch Log Appender.
Support ticket: No related support tickets.
Akana is now configured to connect securely to Elasticsearch 8.5.3 using credentials and certificates.
Support ticket: No related support tickets.
When using the PingFederate version 9.x or above as the external OAuth provider, PKCE (Proof Key for Code Exchange) is now supported for authorization. This is configured in the OAuth Profile Authorization settings for the app, usually by a site admin.
Case number: 00634360
Support ticket: SUPPORT-48634
In 2022.1.2 the following plugins have been merged into the Akana core product:
Any existing XML JOSE Extension Policy will continue to work seamlessly as an XML based policy and not as a JOSE Profile-Driven Security policy that is created from the Community Manager UI.
Similarly, any existing JOSE Profile-Driven Security policies will continue to work seamlessly as JOSE Profile-Driven Security policies.
Support ticket: No related support tickets.
Updates have been made to the MongoDB indexes to address timeout and latency issues when retrieving analytics log data.
Case number: 00826021
Support ticket: No related support tickets.
To avoid timing out HTTP connections between search requests, Elasticsearch now defaults to enabling TCP keepalives. Note that this just enables the Elasticsearch client to use the keep-alive functionality. You may still need to modify your server sysctl settings, as described in the Elasticsearch issue "Enable TCP keepalives by default in Java REST clients #65213."
Case number: 00602431
Support ticket: SUPPORT-48512
A new automation recipe has been provided to configure an external keystore, used to manage all the PKI keys and certificates for a container. See Automation Examples in the Akana online documentation.
Support ticket: No related support tickets.
Support has been added for MongoDB 4.4.
Case numbers: 00829271, 00826021, 00771286
Support ticket: No related support tickets.
Akana 2022.1.2 has added support for ElasticSearch 8.5.x. See System Requirements in the Akana online documentation.
Support ticket: No related support tickets.
Any change in terms of policies attached to or detached from an API can now trigger an alert. Custom alert codes can be created using the Add Alert Code function. See "How to define an Alert Code to Audit an Event section" in the online help at http://help.akana.com/content/current/ag/alerts/using_alert_codes.htm for more information.
Case number: 00770203
Support ticket: SUPPORT-50624
The discovery URL/well-known configuration URL for OIDC now displays the id token signing algorithm, the id token encryption algorithm and the id token content encryption algorithm, based on the user's selection. Prior to this change, the well-known configuration displayed just the default list of algorithms.
Support ticket: SUPPORT-22663
Internet Protocol version 6 (IPv6) (in addition to existing IPv4) address format is now supported for invoking downstream services.
Support ticket: No related support tickets.
A new property TENANT_SCHEME can be included in the pm-cm-all.properties file for the cm-tenant.json recipe to assign a protocol. HTTP is the default if not set. To change it to HTTPS, for instance, include the following in the properties file:
TENANT_SCHEME=https
|
Support ticket: No related support tickets.
Policy Manager has added Hardware Security Module (HSM) support for the SAML Web SSO Domain setup.
Support ticket: SUPPORT-42350, SUPPORT-50455
Akana OAuth/OIDC Provider, JWKS URL now exposes the public key in the form of JWK (including kid, x5c, x5t, x5t#256) corresponding to the private key used to sign the access token. This is configured in Akana OAuth/OIDC Provider > Token (tab) > Reference Signing Key from Platform Identity. The "kid" value in JWK matches the "Reference Signing Key from Platform Identity" value.
Case number: 00617897
Support ticket: SUPPORT-27525, SUPPORT-27525
When promoting an API between Community Manager instances via Lifecycle Coordinator, the default timeout has been increased from 2 minutes to 5 minutes.
Support ticket: No related support tickets.
Filtering usage data by service has been improved.
Support ticket: SUPPORT-32488
When the Throughout Quota policy is configured with a limit of x requests per time interval, the throughput limit exceeded error is returned for x + two requests instead of x + one request.
When a quota policy is attached to a license and the defined interval is in minutes, the API Analytics License page does not return charts for the API Quota Usage. The other charts on API Analytics License page return proper results.
After upgrading the JRE shipped with the product from 2019.1.36 to 2020.2, the error message returned for untrusted certificates changed. The new version of the JRE returns a socket error rather than an error specific to an untrusted certificate. This is not a change in Akana; rather, it is a change in the JRE version.
Case number: 00797955
The Business Service Level Policy generates only one alert even when multiple alerts are configured.
The Operational Aggregate Policy could fail when assigned at the operation level using the HTTP Basic Authentication policy or the OAuth Security policy, returning an HTTP "401 Unauthorized access" error.
Case number: 00847940
The Admin Console of the container may intermittently display an error dialog reporting duplicate valid session cookies. The Admin Console may then become unresponsive or may return an an HTTP 404 error "File not found." Clearing browser cookies clears this error.
Any exception results in two identical stack traces written to the log file.
Additionally, when the JOSE Profile Policy is used and Forced Diagnostic Logging is turned on, the trace block is written twice and the second trace block has a stack trace appended even when there is no exception.
The Business Service Level policy is successfully applied when attached at the API level, but will not function as expected if attached while creating an App contract.
MongoDB Aggregation Pipeline support for data rollups was introduced in the 2022.1.0 release. In 2022.1.x versions, this is not supported for Akana customers upgrading from a 2020.x or earlier version. Aggregation support will be provided for these customers again in an upcoming patch release.
For Akana customers who are using MongoDB for the first time with their 2022.1.x deployment, Aggregation is supported.
MongoDB options are configured in the Admin Console under Configuration > Configuration Categories > com.soa.persistence.mongodb.
A search based on a tag fails if the tag search criteria includes numeric characters.
No payload is required for delete operations on an API associated with the JOSE v2 policy (Unencoded Payload Support).
Case number: 00602226
Support ticket: SUPPORT-49032
All critical and high severity CVEs reported by Prisma through March 20th, 2023, have been resolved.
Case number: 00772571
Support ticket: SUPPORT-51108
The default cache size has been increased to 1,500 to provide more consistent and reliable gateway performance in deployments with a large number of policy-based scripts and APIs.
Case number: 00841743
Support ticket: No related support tickets.
When renaming an API in Community Manager, the name change on the physical, virtual, and design entities representing the API in Policy Manager may not have updated.
Support ticket: SUPPORT-2223, SUPPORT-29662, SUPPORT-1213, SUPPORT-42250, SUPPORT-44813
After creating a new API or app in Community Manager, its initial version for the "Design entity" did not properly display in Policy Manager.
Support ticket: SUPPORT-2223
In Community Manager, a new API created with a YAML file was not properly displayed in the API Design and API Documentation pages.
Support ticket: No related support tickets.
A custom theme created by cloning the Bonita theme did not load if the Bonita theme was subsequently deleted.
Support ticket: No related support tickets.
When upgrading to 2022.1.x and running automation recipes, provisioning could fail to complete, producing a timeout error when the SiteMinder plugin was included.
Case number: 00865285
Support ticket: No related support tickets.
When the CA SiteMinder identity system was installed, Policy Manager could fail to start.
Support ticket: No related support tickets.
The automation recipe cm-es-index-upgrade.json has been updated to handle Elasticsearch indice upgrades when an index prefix is other than "default".
Now, this recipe determines the tenants' configured index name prefix and correctly upgrades the indices.
Case number: 00634516
Support ticket: SUPPORT-44772
Some indexes created by the schema update task were not run in the background. This could cause MongoDB outage problems if there was a lot of data and the index creation was lengthy.
Support ticket: No related support tickets.
The Akana OAuth Provider token endpoint returned an HTTP "401 Unauthorized" error when the client_id value was missing from the token request. The error message has been corrected and is now an HTTP "400 Bad Request" error.
Support ticket: SUPPORT-50092
For the Akana OAuth/OIDC domain, the openbanking_intent_id was not properly returned.
Support ticket: SUPPORT-50090
After configuring Community Manager's login page to have a transparent logo, the logo did not render properly at login.
Support ticket: No related support tickets.
When using the PKCE security extension for OAuth with the Authorization Code grant type, getting the access token required the client secret. Now, the access token can be obtained without sending the client secret.
Case number: 00712935
Support ticket: No related support tickets.
If existing users in an OIDC domain changed their details, those changes were not fully reflected in the database.
Case number: 00619260
Support ticket: SUPPORT-42390
If a mandatory parameter was not sent with the request when using the OAuth provider and HTTP Form-Based Authentication, a 400 Bad Request error was returned with an invalid_client error code. Now the returned error code has been changed to invalid_request error, which is more accurate.
Case number: 00769607
Support ticket: SUPPORT-50092
If APIs or apps were deleted and the Oracle table UDDI_SERVICE did not have the DELETE CASCADE constraint set, the records in the child table UDDI_INST_DETAILS were not deleted, resulting in inconsistent behavior. Now, the DELETE CASCADE constraint has been added to the UDDI_INST_DETAILS table.
Case number: 00769624
Support ticket: SUPPORT-50188
When an app was deleted, its OAuth profile was still available, and requesting access could still return an access token to the app.
Case numbers: 00820078, 00820458
Support ticket: No related support tickets.
Authentication between Network Director and Policy Manager could intermittently fail with an invalid credentials error, after upgrading to 2022.1.1.
Case number: 00764571
Support ticket: No related support tickets.
If a WSDL file included a parameter after the "action=" parameter (rather than after the operation) in the HTTP Content-Type header, the WSDL operation was not identified correctly, even though parameters should be allowed at this location in a WSDL file.
Case number: 00813334
Support ticket: No related support tickets.
If no certificate was sent when using the HTTP Security policy configured with Client Certificate, the returned error HTTP "401 Unauthorized" included an incorrect header that was specific to Basic Authentication.
Support ticket: No related support tickets.
Changes to a physical service in Policy Manager could result in the automatic removal of Operational and/or QoS (Quality of Service) policies attached to the same physical service (a logical representation of an API/service external to the Akana API platform).
Case number: 00619475
Support ticket: SUPPORT-41793
When using the SPNEGO Operational policy with the Kerberos Authentication policy, the service could not successfully get the Kerberos ticket (TGT) due to cache-refresh issues. This subsequently caused the API call to fail. The Kerberos ticket is now refreshed and cached after its expiration.
Support ticket: SUPPORT-46684
Various updates and imports were not updating the Network Director container, including the import of a new API, attaching new policies to APIs, or modifying the target endpoint. Now, these changes are reflected in Network Director without the need to restart the container.
Support ticket: No related support tickets.
The Javascript libraries with security vulnerabilities have been upgraded as follows:
Case number: 00687904
Support ticket: No related support tickets.
Real-time charts for 15 and 60-minute intervals no longer appear malformed.
Case number: 00798440
Support ticket: SUPPORT-41878
An error is no longer returned after invoking the Akana Ping Support feature on either a Policy Manager or Community Manager container.
Support ticket: No related support tickets.
Optimization has improved the response times for the following platform APIs: login, apps, tickets, and contracts.
Case number: 00770035
Support ticket: SUPPORT-50212, SUPPORT-50210
When attached to the Physical Service (target), the OAuth Client policy worked only when trace logging was enabled in Network Director.
Case number: 00619471
Support ticket: SUPPORT-41804, SUPPORT-43789
Communication between Network Director(s) and Policy Manager failed intermittently due to the cached Policy Manager public key in the Network Director(s) becoming invalid.
Support ticket: SUPPORT-49545
A new configuration property swagger.config.maxDepth has been added to com.akana.swagger, available in the Admin Console. This property defines how many levels down to parse a schema object's properties/schemas for OAS/Swagger APIs. The default is 10. Increasing the default level may impact performance with large APIs.
Support ticket: SUPPORT-49065
If both the active and inactive session timeout settings are set, the inactive session timeout setting could be ignored and in some cases, an error could be returned. Session timeout settings now work as expected.
Support ticket: SUPPORT-45430
When adding or modifying an organization in the Policy Manager Console, then selecting an organization type, in some cases the type was not saved correctly, resulting in a failure to load the organization overview.
Support ticket: No related support tickets.
When creating an Authentication policy, the domain options incorrectly included all customer domains. Now, only domains associated with organization or tenant are available for selection.
Support ticket: No related support tickets.
If an API was previously deleted and imported back into the tenant, the API was not placed in the correct API organization.
Support ticket: No related support tickets.
The GET /api/apis/versions/<apiVersionId>/contracts API mistakenly used title case Start and Count query parameters when all other methods use lower case start and count query parameters. Now, lower case start and count query parameters are allowed, while title case Start and Count have been retained for backward compatibility.
Support ticket: SUPPORT-35863
When uploading an image to the API Documentation page in Community Manager, the image was not saved properly in some cases.
Support ticket: SUPPORT-48664
When a draft version of a policy existed with a newer version than the active policy, the active policy did not display. Now, any policy that is active, regardless of whether there is a draft version that would supersede it, displays appropriately in the list of policies on the API Implementations > Edit Policies page.
Support ticket: SUPPORT-46680
February 24, 2022
This release adds support for GraphQL, a query language for APIs. Using GraphQL, the client can request information in a single GraphQL request that might previously have required multiple traditional REST API requests. For details, see "Installing and Configuring GraphQL for the Akana API Platform" on the Akana docs site.
Although the new Admin Console is automatically installed with this release, it is not yet the default console. The current Akana Admin Console will be deprecated in a future release when it will be replaced by the new Admin Console as the default.
We strongly encourage users to try the new Admin Console and provide feedback to Akana via the Support desk.
To use the new Admin Console, navigate to http://host:port/admin/ui/index.html. The default Admin Console will continue to be accessed at http://host:port/admin For more detail, see "Akana Administration Console" on the Akana docs site.
Known issue: In the new Admin Console, in the Add Database task, running this task for a second time only gives the option to connect to an existing database. Workaround: If you want to create a database using the Add Database task, switch to the default Admin Console to make this change. As a best practice, it is preferable to have the database administrator create the database, and then connect to it using this configuration task.
A new policy, the JOSE Profile-Driven Security Policy, allows users to supplement the JOSE Security Policy v2 with additional security standards such as RSA Adaptive Authentication for eCommerce, Visa Token Service, or UK Open Banking Event Notifications.
For details, see "Using the JOSE Profile-Driven Security Policy" on the Akana docs site.
Apache Axis 1.4 is deprecated with this release, replaced by Apache Axis2 1.7.9. Axis is a call component used in the Management Point pipeline.
Support ticket: No support ticket
Purge intervals were not defined for MongoDB's OPERATIONAL_METRIC rollup configuration, resulting in rollup data for MINUTES and HOURS being kept for a year before being purged. Default settings are based on the value._rolluptype as follows:
Rollup Type | Default Purge Interval |
---|---|
MINUTES | -> 1 day |
HOURS | -> 1 week |
DAYS | -> 1 year |
WEEK | -> 1 year |
MONTH | -> 1 year |
YEAR | -> 1 year |
Support ticket: No related support tickets.
The OpenJDK JRE version that ships with the product has been upgraded from 1.8.0_275 to the latest version, 1.8.0_292.
Support ticket: No related support tickets.
The API Consumer Application Security Policy has added support for cypher suite HMAC-SHA512, available as an option on the policy page. For more information, see "Configuring API Consumer Application Security Policy options" on the Akana documentation website.
Support ticket: SUPPORT-43228
LDAP groups already configured in an LDAP directory can now be accessed within an OpenID Connect configuration in order to log into the Community Manager Development Portal using their LDAP logins.
Support ticket: SUPPORT-41444
For an API based on OpenAPI 3.0 (OAS), its documentation now supports the inclusion of a full example, or multiple examples, for parameters, request bodies, or responses.
Support ticket: SUPPORT-41503
In the Business Metrics Policy, you can now map the Application ID to a custom dimension in the Operational Dimension list.
Support ticket: SUPPORT-39779, SUPPORT-39605
In addition to width customizations, the logo in the top left corner of the Community Manager developer portal is also now customizable by height and padding.
Support ticket: No related support tickets.
Some policy configuration details did not display when access to the internet was restricted for the application.
Support ticket: SUPPORT-46233
The RAML parser was incorrectly parsing global schemas in some cases, resulting in the global models not appearing in the wsdl:types section of the schema.
Support ticket: No related support tickets.
The API Analytics pie chart (API > Analytics > Overview) could display incorrect operation chart values in some cases.
Support ticket: SUPPORT-38763
API request payloads of content-type "application/json" were being transformed to XML before the request was sent downstream, if the request media type for the operation used API Default, and if the Default Media Types for the API were set to "Any in and out".
Support ticket: SUPPORT-43265
Swagger documents containing operations with responses of different content types did not display correctly on the API Details and API Designer pages.
Support ticket: SUPPORT-40901
In Policy Manager, custom policies now work when the PM context path is something other than /. Previously, if the context path was not at root, the policies would not display correctly in the UI.
Support ticket: No related support tickets.
The "email.from" message part was always part of the developer portal notification email templates, but if a custom value was provided, it was not used.
Support has now been added for checking if a value was provided for this message part on the email message template before sending a notification. If a value has been set, it is used as the "from" address on the email.
Support ticket: SUPPORT-21396
When disabling or enabling basic authentication on the Health tab (Admin Console > Health tab), the setting did not always persist after restarting the container.
Support ticket: SUPPORT-40551
After installing the Lifecycle Coordinator and Lifecycle Repository features onto a Policy Manager or Community Manager container but never using them, uninstalling these features could render the Community Manager console inaccessible.
Support ticket: SUPPORT-41627
Work related to the entry "General updates to strengthen password security" from the 2020.2.5 release was reverted in 2020.2.6, but has now been reinstated.
Support ticket: No related support tickets.
API creation was failing when importing an OpenAPI (OAS 3.0) file that had a circular reference to a schema, returning a "Recursion Depth Exceeded" exception.
Support ticket: SUPPORT-41462
In some cases, modifying a target endpoint in the Community Manager Development Portal could return a general system error without modifying the endpoint.
Support ticket: SUPPORT-26334
Malicious content injection was possible during a search because a returned fault string could display implementation details to the user. Implementation details are now hidden.
Support ticket: SUPPORT-41473
To accommodate a potential right column, such as in a promotion environment, the descriptions for APIs, API versions, apps, and app versions are now limited to 480 characters.
Support ticket: No related support tickets.
All external OAuth provider URLs are validated against the allowed hosts for a tenant.
Support ticket: No related support tickets.
For the Lifecycle Repository, running the "Set Lifecycle Repository Password" action and unchecking the "Set superuser password" option could prevent access to the superuser login page.
Support ticket: No related support tickets.
Two APIs were accessible to users without proper authentication: GET /api/businesses/{BusinessID}/apisettings and GET /api/login/domains.
Support ticket: No related support tickets.
For an API using OAuth, an error could be returned for a Swagger or OAS 3.0 Test Client when the required OAuth Authorization header was configured in the API. This occurred because a dummy incorrect format authorization header value was passed.
Support ticket: SUPPORT-37435
Script execution is now validated at runtime against the engine types listed in com.soa.script.framework.properties in the Admin Console for the Network Director container. If the script type is not found in the script.engine.manager.engines properties list, script execution will fail.
Support ticket: No related support tickets.