Akana API Platform Release Notes 2022.1.1

 

Date April 01, 2022

Version 2022.1.1

Document updated on: 2022-04-01 11:25, Pacific Standard Time

System Requirements

Upgrading Akana API Platform to Version 2020.1.x, 2020.2.x, or 2022.1.x

 

Create indexes before upgrading

It's recommended to create indexes before upgrading to 2020.2.x. See Create indexes before upgrading.

UI customizations

If you have UI customizations, rebuild styles after upgrade (Admin > Customization > Rebuild Styles), then test your customizations.

Post-GA Updates

Date/release version

Changes

March 4, 2022
2022.1.1
Removed the section "Known Issues" from Version 2022.1.0, as the issue has been addressed.
March 4, 2022
2022.1.1
Enhancements for previous versions 2020.2.16 and 2020.2.17 have been added to this file.
April 1, 2022
2022.1.1
Corrected links to "System Requirements" and "Upgrading Akana API Platform..." above.

 

Version 2022.1.1

March 7, 2022

Enhancements: 2022.1.1

This release includes no enhancements.

Bug Fixes: 2022.1.1

Standalone container config wizard did not start

The standalone Configure Container Instance Wizard was failing to start due to incorrect configuration of the location of some required bundles. The configuration has been updated to the correct location.

Support ticket: SUPPORT-48823

AMQP messaging issue fixed

For 2022.1.0, the AMQP protocol was not working as expected. With this release, the issue is fixed, and its "Known Issues" entry has been removed.

Support ticket: No related support tickets.

Version 2022.1.0

February 24, 2022

Key Features: 2022.1.0

Note: The key features here are specific to 2022.1.0 and are not available in earlier 2020.2.x update releases. For features and enhancements also available in 2022.1.0 but delivered in previous 2020.2.x update releases, see each update version below.

GraphQL query language now supported

This release adds support for GraphQL, a query language for APIs. Using GraphQL, the client can request information in a single GraphQL request that might previously have required multiple traditional REST API requests. For details, see "Installing and Configuring GraphQL for the Akana API Platform" on the Akana docs site.

New Akana Admin Console

Although the new Admin Console is automatically installed with this release, it is not yet the default console. The current Akana Admin Console will be deprecated in a future release when it will be replaced by the new Admin Console as the default.

We strongly encourage users to try the new Admin Console and provide feedback to Akana via the Support desk.

To use the new Admin Console, navigate to http://host:port/admin/ui/index.html. The default Admin Console will continue to be accessed at http://host:port/admin For more detail, see "Akana Administration Console" on the Akana docs site.

Known issue: In the new Admin Console, in the Add Database task, running this task for a second time only gives the option to connect to an existing database. Workaround: If you want to create a database using the Add Database task, switch to the default Admin Console to make this change. As a best practice, it is preferable to have the database administrator create the database, and then connect to it using this configuration task.

New JOSE Profile-Driven Security Policy

A new policy, the JOSE Profile-Driven Security Policy, allows users to supplement the JOSE Security Policy v2 with additional security standards such as RSA Adaptive Authentication for eCommerce, Visa Token Service, or UK Open Banking Event Notifications.

For details, see "Using the JOSE Profile-Driven Security Policy" on the Akana docs site.

Deprecations and Removals

Apache Axis 1.4 deprecated and replaced by Axis2 1.7.9

Apache Axis 1.4 is deprecated with this release, replaced by Apache Axis2 1.7.9. Axis is a call component used in the Management Point pipeline.

Support ticket: No support ticket

Enhancements: 2022.1.0

MongoDB Operational metric rollup configuration now has purge intervals

Purge intervals were not defined for MongoDB's OPERATIONAL_METRIC rollup configuration, resulting in rollup data for MINUTES and HOURS being kept for a year before being purged. Default settings are based on the value._rolluptype as follows:

Rollup Type Default Purge Interval
MINUTES -> 1 day
HOURS -> 1 week
DAYS -> 1 year
WEEK -> 1 year
MONTH -> 1 year
YEAR -> 1 year

Support ticket: No related support tickets.

OpenJDK JRE version has been updated to 1.8.0_292

The OpenJDK JRE version that ships with the product has been upgraded from 1.8.0_275 to the latest version, 1.8.0_292.

Support ticket: No related support tickets.

API Consumer Application Security Policy now supports HMAC-SHA512

The API Consumer Application Security Policy has added support for cypher suite HMAC-SHA512, available as an option on the policy page. For more information, see "Configuring API Consumer Application Security Policy options" on the Akana documentation website.

Support ticket: SUPPORT-43228

Support added for LDAP users to log in to an OIDC provider

LDAP groups already configured in an LDAP directory can now be accessed within an OpenID Connect configuration in order to log into the Community Manager Development Portal using their LDAP logins.

Support ticket: SUPPORT-41444

For OpenAPI 3.0, parameters, request bodies, and responses can now contain examples

For an API based on OpenAPI 3.0 (OAS), its documentation now supports the inclusion of a full example, or multiple examples, for parameters, request bodies, or responses.

Support ticket: SUPPORT-41503

New MongoDB option to use Aggregation Pipeline for data rollups

MongoDB data rollups can now be performed using a MongoDB Aggregation Pipeline (requiring MongoDB 4.2 or later). A new property in the Admin Console controls whether to use the new pipeline or the previous Map/Reduce option, available under Configuration > Configuration Categories > com.soa.persistence.mongodb.

To reduce the memory footprint of the Mongo _id, the new Mongo Aggregation framework now compresses all the individual fields. The ContainerKey in the _id remains intact for sharding purposes.

Note: This will result in two sets of rollup data until the old documents with individual fields are purged.

For details, see "Using the Aggregation Pipeline for data rollups" on the the Akana docs site.

Support ticket: No related support tickets.

Business Metrics Policy includes the app ID for mapping to a custom dimension

In the Business Metrics Policy, you can now map the Application ID to a custom dimension in the Operational Dimension list.

Support ticket: SUPPORT-39779, SUPPORT-39605

Community Manager developer portal's logo is now more customizable

In addition to width customizations, the logo in the top left corner of the Community Manager developer portal is also now customizable by height and padding.

Support ticket: No related support tickets.

Bug Fixes: 2022.1.0

In Policy Manager, internet restrictions could impact viewing policy details

Some policy configuration details did not display when access to the internet was restricted for the application.

Support ticket: SUPPORT-46233

The RAML parser was not processing global schemas correctly

The RAML parser was incorrectly parsing global schemas in some cases, resulting in the global models not appearing in the wsdl:types section of the schema.

Support ticket: No related support tickets.

Analytics pie chart could incorrectly report operation chart values

The API Analytics pie chart (API > Analytics > Overview) could display incorrect operation chart values in some cases.

Support ticket: SUPPORT-38763

Setting API Default as request media type for an operation did not work as expected

API request payloads of content-type "application/json" were being transformed to XML before the request was sent downstream, if the request media type for the operation used API Default, and if the Default Media Types for the API were set to "Any in and out".

Support ticket: SUPPORT-43265

Some Swagger documents did not display correctly on the API Details and Designer pages

Swagger documents containing operations with responses of different content types did not display correctly on the API Details and API Designer pages.

Support ticket: SUPPORT-40901

Custom policies did not display when a PM Context path was not "/"

In Policy Manager, custom policies now work when the PM context path is something other than /. Previously, if the context path was not at root, the policies would not display correctly in the UI.

Support ticket: No related support tickets.

Support added for checking for an "email.from" message part

The "email.from" message part was always part of the developer portal notification email templates, but if a custom value was provided, it was not used.

Support has now been added for checking if a value was provided for this message part on the email message template before sending a notification. If a value has been set, it is used as the "from" address on the email.

Support ticket: SUPPORT-21396

Enabling/disabling basic authentication setting did not persist after container restart

When disabling or enabling basic authentication on the Health tab (Admin Console > Health tab), the setting did not always persist after restarting the container.

Support ticket: SUPPORT-40551

Installing, then uninstalling, Lifecycle Coordinator/Repository could render the Community Manager console inaccessible

After installing the Lifecycle Coordinator and Lifecycle Repository features onto a Policy Manager or Community Manager container but never using them, uninstalling these features could render the Community Manager console inaccessible.

Support ticket: SUPPORT-41627

Password security updates from 2020.2.5 reinstated

Work related to the entry "General updates to strengthen password security" from the 2020.2.5 release was reverted in 2020.2.6, but has now been reinstated.

Support ticket: No related support tickets.

API creation could fail when importing an OpenAPI 3.0 file with a circular reference

API creation was failing when importing an OpenAPI (OAS 3.0) file that had a circular reference to a schema, returning a "Recursion Depth Exceeded" exception.

Support ticket: SUPPORT-41462

Modifying a target endpoint could return an error

In some cases, modifying a target endpoint in the Community Manager Development Portal could return a general system error without modifying the endpoint.

Support ticket: SUPPORT-26334

A returned fault string could display details and risk content injection while searching

Malicious content injection was possible during a search because a returned fault string could display implementation details to the user. Implementation details are now hidden.

Support ticket: SUPPORT-41473

API descriptions for APIs and apps now limited in length

To accommodate a potential right column, such as in a promotion environment, the descriptions for APIs, API versions, apps, and app versions are now limited to 480 characters.

Support ticket: No related support tickets.

Enhanced validation added for external OAuth provider URLs

All external OAuth provider URLs are validated against the allowed hosts for a tenant.

Support ticket: No related support tickets.

The "Set Lifecycle Repository Password" option could fail in some cases

For the Lifecycle Repository, running the "Set Lifecycle Repository Password" action and unchecking the "Set superuser password" option could prevent access to the superuser login page.

Support ticket: No related support tickets.

Some APIs were accessible without authentication

Two APIs were accessible to users without proper authentication: GET /api/businesses/{BusinessID}/apisettings and GET /api/login/domains.

Support ticket: No related support tickets.

The OAuth Authorization header was not setting the scheme

For an API using OAuth, an error could be returned for a Swagger or OAS 3.0 Test Client when the required OAuth Authorization header was configured in the API. This occurred because a dummy incorrect format authorization header value was passed.

Support ticket: SUPPORT-37435

Network Director: Script execution allowed requests for unsupported script languages

Script execution is now validated at runtime against the engine types listed in com.soa.script.framework.properties in the Admin Console for the Network Director container. If the script type is not found in the script.engine.manager.engines properties list, script execution will fail.

Support ticket: No related support tickets.

Version 2020.2.17

February 3, 2022

Enhancements: 2020.2.17

Elasticsearch Log Appender Plug-In has been replaced in 2020.2.17

The Akana Elasticsearch Log4J Appender Plug-In no longer works with releases after 2020.2.16 following the introduction of Log4J 2.x as the core logging framework in the Akana product. Because of this, a new off-the-shelf appender is now incorporated into the product. Users of the legacy Appender will need to migrate to the new configuration when upgrading. For detail, see "Configuring the Elasticsearch Log Appender (2020.2.17 and later)" on the Akana docs site.

Support ticket: No related support tickets.

Version 2020.2.16

January 26, 2022

Enhancements: 2020.2.16

Apache Log4j upgraded to Log4j 2

The Apache logging service Log4j has been updated from Log4j 1.x to Log4j 2.17.1 (which avoids the known security vulnerabilities CVE-2021-45105 and CVE-2021-45046). This version of Log4J is incompatible with the previous version and requires a change to the container startup configuration. Because of this, containers will need to be recreated, as updating a container "in place" is not supported. In addition, if you have customized logging in place, you'll also need to refactor your logging configuration. For migration and configuration information, see Migration to Log4j version 2.x on the Akana docs site.

Support ticket: SUPPORT-47917

Version 2020.2.15

December 10, 2021

Enhancements: 2020.2.15

This release includes no enhancements.

Version 2020.2.14

October 8, 2021

Enhancements: 2020.2.14

This release includes no enhancements.

Version 2020.2.13

October 6, 2021

Enhancements: 2020.2.13

New configuration to enforce a crypto provider for Jose V2

A new configuration provides the ability to enforce the crypto provider for the JOSE Security Policy v2, available in the Admin Console under com.akana.jose > jose.v2.security.handler.factory.joseCryptoProvider. For detail, see "Specifying the JCE provider" on the Akana documentation website.

Support ticket: SUPPORT-45507

Version 2020.2.12

September 16, 2022

Enhancements: 2020.2.12

This release includes no enhancements.

Version 2020.2.11

September 11, 2021

Enhancements: 2020.2.11

This release includes no enhancements.

Version 2020.2.10

September 7, 2021

Enhancements: 2020.2.10

Hermosa theme now has descriptive search tooltips

The API search box in the Hermosa theme now has a descriptive tooltip for entering search tags, displayed when clicking in the search box. This tooltip is also available in the general search box in the filter on the search results page.

Support ticket: SUPPORT-43887

Version 2020.2.9

August 2, 2021

Enhancements: 2020.2.9

New workflow function supports a default role assignment to developer portal users using a specific login domain

A new workflow function, addRoleToUser, is available for custom workflow to modify the default platform behavior so that a new user, logging in for the first time with a specific login domain, is automatically assigned to a specific role.

Support ticket: SUPPORT-41444

For third-party documentation using iframes, the platform now handles session management

When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), the API platform now handles session management for third-party documentation that uses iframes. When the API documentation is displayed in an iframe, the iframe takes care of renewing the session. In addition, the third-party portal can handle the session before navigating to the iframe API document via a special page (which is provided in the customization samples or from Technical Support).

To take advantage of this, set the height and width of this new page to 0 so that the token is renewed in the background. Load this special page in an iframe in all pages except the API documentation's iframe.

Support ticket: SUPPORT-43303

Custom workflow can mark a third-party user a registered user at first login

Third-party domain users can be assigned a registered state when logging into the Community Manager for the first time via a new initial action @AllowMarkUserAsRegistered. This is implemented through a custom workflow and overrides the default behavior which first assigns a pending_validation state to external domain users. See @AllowMarkUserAsRegistered on the Akana documentation website for more information.

Support ticket: SUPPORT-43689

The jose.4.j library has been upgraded from 0.6.3 to 0.6.5

The jose.4.j library used on the platform has been upgraded from 0.6.3 to 0.6.5. The new version adds support for the RSASSA-PSS algorithm, necessary when PS256 is selected for digital signing.

Support ticket: SUPPORT-44157

Version 2020.2.8

July 23, 2021

Enhancements: 2020.2.8

File download now available on an API's documentation page

In the Community Manager developer portal, an API's documentation page now features a download option so users can download the corresponding Interface Description Language file.

Support ticket: SUPPORT-43002

Search returns results for an API's summary and description

Community Manager developer portal search returns and displays results for both an API's summary and its description, given a keyword. Previously, only results based on an API's description were returned and displayed.

Support ticket: SUPPORT-40847

The Access button to create a contract between an API and an app can now be controlled according to user role

Site Admins can control whether the Access button to create a contract between an API and an app appears or not, by implementing a custom API workflow that uses a new workflow action @DisallowApiAccess.

Support ticket: SUPPORT-40443

Embedding API documentation in a third-party portal now supports non-library dependent version

When embedding generated API documentation in a third-party portal (see the entry "Ability to embed generated API documentation, including embedded Test Client" added in 2020.2.4), a non-library dependent design is now supported, for example, a design without use of JavaScript. Note that, in this case, the UI's display may be impacted, including scroll bars or a failure to display a loader message while API documentation is in progress.

Support ticket: No related support tickets.

For API descriptions using Markdown, the search returned Markdown syntax

When an API description used the Markdown language, the API Details and Overview pages processed the Markdown and displayed it correctly, but the search displayed the Markdown syntax without processing it. Now, the Markdown is converted to plain text and displayed in the search results. The API Details and Overview pages still display the processed Markdown.

Support ticket: SUPPORT-41836

URL-encoded certificate headers now supported by the HTTP Security Policy

The HTTP Security Policy enforcement handler now has the ability to consume URL-encoded certificate headers.

Support ticket: SUPPORT-43722

New configuration property now controls the RFC compliance level

A new configuration property has been added to the Admin Console supporting the configuration of the RFC compliance level of the HTTP parser. This provides backwards compatibility with older versions of Jetty, and provides support for clients that are not compliant with the latest RFCs.

The new configuration property is com.soa.platform.jetty -> http.incoming.transport.config.compliance. For supported values, see "Configuring the security settings" on the page Configuring Compliance Modes for HTTP Parsing and Handling on the Akana documentation website.

Support ticket: SUPPORT-43722

API Consumer Application Security Policy now supports HMAC-SHA512

The API Consumer Application Security Policy has added support for cypher suite HMAC-SHA512, available as an option on the policy page. For more information, see "Configuring API Consumer Application Security Policy options" on the Akana documentation website.

Support ticket: SUPPORT-43228

Support added for new signing algorithms for OAuth provider PingFederate 10

For OAuth provider PingFederate 10.0.x, support has been added for the Private Key JWT and Request Object signing algorithms, available on an app's Details page by selecting OAuth Profile.

  • Choosing Private Key JWT from the section "Choose from authentication options below" launches a dropdown "Private Key JWT Signing Algorithm" to select a signing algorithm that the client must use to sign the JWTs for client authentication.
  • Choosing Required Signed Requests launches a dropdown to select the signing algorithm that the client must use to sign the request object.

Support ticket: SUPPORT-33433

Auth Token validity is now configurable

The Community Manager developer portal Auth Token validity is now configurable via the Active Login Session Timeout setting. If the Active Login Session Timeout is set to 0, then the Auth Token validity defaults to 30 minutes, as was the default before this update.

Support ticket: SUPPORT-43293

Security settings added to control CSRF defense when using the latest Chrome browser

The latest Chrome browser has changed the default setting it applies to the SameSite attribute, which defends against CSRF attacks. This was resulting in a failure to display API documentation inside an iframe from a third-party portal running on a domain other than the portal domain, in which case, an HTTP "401 Unauthorized" exception could occur.

To ensure the display of API documentation in this situation, there is a new setting on the Security Settings page (Admin > Settings > Security): set the Authentication CSRF Token Cookie Attribute - SameSite field to "None." An existing setting to control the Domain attribute, Authentication and CSRF Token Cookie Attribute - Domain, was also added to this page.

For more information, see "How do I configure settings for business security?" on the Akana documentation site.

Support ticket: No related support tickets.

For OpenAPI 3.0, parameters, request bodies, and responses can now contain examples

For an API based on OpenAPI 3.0 (OAS), its documentation now supports the inclusion of a full example, or multiple examples, for parameters, request bodies, or responses.

Support ticket: SUPPORT-41503

Version 2020.2.7

July 06, 2021

Enhancements: 2020.2.7

Searching with "AND" limits the results appropriately

Searching APIs for keywords using "AND" returns only those APIs that have both elements present. Prior, a search using AND did not properly narrow the results, returning APIs with just one element present.

Support ticket: SUPPORT-40951

Version 2020.2.6

June 18, 2021

Enhancements: 2020.2.6

This release includes no enhancements.

Version 2020.2.5

May 17, 2021

Enhancements: 2020.2.5

Filtering a search by tags is now supported

The search filters in the Community Manager Developer Portal now support searching by an API or app's tag.

Support ticket: SUPPORT-40632, SUPPORT-41146

Community Manager themes now support dynamic resizing on static pages

In the Community Manager developer portal, the height of static pages can now be resized dynamically when there are expand/collapse sections. This enhancement applies to these pages:

Hermosa theme:

  • home/landing
  • home/support
  • API > Documentation

Simple Dev theme:

  • welcome
  • help
  • documentation

Bonita theme:

  • welcome
  • help
  • API > Documentation

Support ticket: SUPPORT-40842

Version 2020.2.4

April 19, 2021

Enhancements: 2020.2.4

Obsolete jQuery versions have been removed

Obsolete jQuery libraries have been deleted from the product. The only distributed version is 3.4.1.

Support ticket: SUPPORT-31089

Ability to embed generated API documentation, including embedded Test Client, in a third-party portal

The generated API documentation currently displayed in the developer portal, either OpenAPI or Swagger, can now also be embedded in a third-party portal. If the generated API documentation includes the embedded Test Client functionality currently supported in the developer portal, embedded Test Client also works in the third-party portal.

Support for this feature includes a new library and a new working customization example in the customization ZIP file. If you do not have the customization ZIP file, ask Technical Support.

Authentication/authorization for the user's access to the API documentation from the third-party portal can be handled by the developer portal's SSO login functionality; for example, with SAML Web SSO or OpenID Connect.

Support ticket: SUPPORT-40315

The version was not displaying properly for APIs and apps on some pages

In the Community Manager developer portal, the version dropdown for APIs and apps was not clickable and the down arrow was not visible in some cases, so that multiple versions would not display. This occurred on the API Documentation page, the API Overview page, and the App details page.

Support ticket: SUPPORT-41168

When searching, tags associated with a resource now link to a list of all APIs, apps, or groups with that tag

When searching for APIs, apps, or groups, each entry in the search results includes a list of tags defined for that resource, if they exist. Each tag is now a hyperlink; clicking a tag in a search results entry returns a list of resources that use that tag. The list is specific to the type of resource. For example, on the All APIs page, clicking a tag in a search results entry gives a list of all APIs with that tag. To return a list of all resources that have a specific tag (APIs, apps, and groups), use the top general search bar.

Support ticket: SUPPORT-40634

New search scope capability for an API

The Community Manager developer portal has added support for selecting a search scope, available from the API's Manage Licensing page when "Enable Licensing for API" is selected.

Support ticket: SUPPORT-41169

Envision Demo Data plugin could fail to create charts and dashboards

The Akana Sample Datasets for Demo Charts plug-in, which provides a series of sample datasets for demo charts, could fail to create charts and dashboards, due to special characters in the description fields for these models.

A new configuration property has been added to the Admin Console: analytics.validation.text.denylist under
com.soa.persistence.console. This configuration can allow or disallow special characters in the description field used in Analytics Manager.

Support ticket: No related support tickets.

Version 2020.2.3

March 19, 2021

Enhancements: 2020.2.3

Multiple, selected dashboard notifications can now be deleted at once

For a role with permissions to delete a notification, multiple dashboard notifications can now be deleted, either by selecting all or some, then selecting "Delete Checked."

Support ticket: SUP-10607, SUPPORT-40289

"APIs I'm Following" widget now available for inclusion on the Action Dashboard

A widget to display "APIs I'm Following" can now be added to the Community Manager developer portal's tenant Action Dashboard or any other page. Previously, this was found only under the My APIs page.

Support ticket: SUPPORT-40444

When searching, tags associated with a resource now link to a list of all APIs, apps, or groups with that tag

When searching for APIs, apps, or groups on their respective "details" pages, each returned entry includes a list of tags used for that resource, if they exist. These tags are now each hyperlinks, so that clicking on a tag returns a list of all APIs, apps, or groups with that tag.

Support ticket: SUPPORT-40634

Version 2020.2.2

March 8, 2021

Enhancements: 2020.2.2

API Overview page no longer displays the Endpoints section

In the Community Manager developer portal, the Endpoints section on the API Overview page has been removed.

Support ticket: SUPPORT-40340

Importing a Swagger or OpenAPI 3.0 document now updates the version

Importing a modified Swagger or OpenAPI 3.0 document using the API Designer Edit page did not update some parts of the document, specifically the info.version element. Support has been added for updating the API version if the info.version element in an updated design document changes.

Support ticket: SUPPORT-39972

Version 2020.2.1

February 17, 2021

Enhancements: 2020.2.1

Updates to the UI's API Implementations pages

Enhancements have been made to the UI, in particular to the API > Implementations pages, to clarify some functionality.

Support ticket: No related support tickets.

Deprecations and Removals

Consumer Gzip content encoding removed and the consumerGzip configuration is deprecated

Gzip content encoding on the consumer side has been removed, and the configuration transport.config.consumerGzip is now deprecated (available in the Admin Console under Configuration > com.soa.transport.)

Support ticket: No support ticket

Version 2020.2.0

February 11, 2021

Create indexes before upgrading

It's recommended to create indexes before upgrading to 2020.2.x:

use METRIC_ROLLUP_DATA

db.OPERATIONAL_METRIC.createIndex(

  {"value._rolluptype": 1, "value.executorId": 1},

  {name: "OPERATIONAL_METRICDeleteOnIDX", background: true})

db.OPERATIONAL_METRIC.createIndex(

  {"value._rolluptype": 1, "value.rawIds": 1},

  {name: "OPERATIONAL_METRICRecoveryIDX", background: true})

 

Key Features: 2020.2.0

Note: The key features here are specific to 2020.2.0 and are not available in earlier 2020.1.x update releases. For features and enhancements also available in 2020.2.0 but delivered in previous 2020.1.x update releases, see each update version below.

Technology upgrades

This release incorporates several upgrades to technologies and tools. See System Requirements for Akana Platform 2020.2.x for details. These include:

  • MongoDB
  • Elasticsearch
  • Adobe Flash has been replaced in Policy Manager's Real Time and Historical Charts.
AWS CloudHSM support

Akana adds support for the AWS CloudHSM cloud-based hardware security module.

Docker images

Enhanced support has been added for installation via specific Akana Docker images to enable better environment standardization, portability, compatibility, and ease of maintenance.

NTLM V2 support

The authentication protocol NT LAN Manager version 2 (NTLMv2) is now supported.

Community Manager developer portal enhancements

Multiple enhancements have been made to the Community Manager portal. Among them are:

  • Bonita theme Improvements: Bonita theme now includes an API Access Wizard, supports authored documentation, and has more intuitive navigation functionality. See Bonita Theme on the Akana docs site.
  • Operation-specific policy support: Policies can now be assigned to a specific API operation, in addition to assigning at the API level. See "To assign a policy to a specific operation in an API implementation," on the Akana docs site.
New documentation on customizing the Community Manager developer portal

Multiple options are available to customize the portal, now documented in detail at "Detailed Customization Document" on the Akana docs site.

Envision enhancements

Envision has been enhanced with several usability improvements and security fixes, including the addition of chart creation guidance when filtering, the display of chart loading information, and the ability to edit a chart without first previewing it, improving performance.

Lifecycle Manager Repository Client

The Lifecycle Manager Repository Client has now been certified on the macOS.

Enhancements: 2020.2.0

Envision login could pose potential security risk on LDAP domain

When logging into the Envision Console on an LDAP domain, valid usernames could potentially be exposed through repeated logins. For example, if an invalid username was provided, the application returned "User <username> does not exist." Now a generic message "Invalid user credential" is returned in all cases.

Support ticket: SUPPORT-2387, SUP-17761

Lifecycle Repository extended properties can be configured as a single value or multiple values

For API, App and User extensible properties, Community Manager now supports the configuration of a single value or multiple values. A multi-value list can include free-form values added by the user.

Support ticket: No related support tickets.

Automation recipes enhanced with additional security configuration options

Out-of-the-box automation recipes have been enhanced to support various use cases configuring security across Akana containers.

Support ticket: SUPPORT-36354

MongoDB can now be configured for recovery jobs

When using the MongoDB Support plug-in to manage audit and metrics data, new options are available to configure recovery jobs. These options help avoid loss of metrics data and ensure data accuracy during a roll-up process. In the Admin Console, these are available at Configuration > com.soa.persistence.mongodb:

Property Default Description
persistence.mongodb.rollup.maxRecoveryBatchSize 10,000 The maximum number of raw records in a batch, for a recovery job
persistence.mongodb.rollup.skipRecoveryIteration 10 Number of iterations to skip before running recovery jobs

Support ticket: No related support tickets.

Akana OAuth/OIDC Provider Domain adds support for PKCE

This release adds support for the optional PKCE security extension for OAuth, with the Authorization Code grant type. PKCE (Proof Key for Code Exchange) enhances security by adding an additional key with the authorization code request and again with the token request. For more details, see Akana OAuth/OIDC Provider Domain: Tab 2, Grant Types - Configuration Values on the Akana documentation site.

Support ticket: No related support tickets.

Configure data chunk size in MongoDB for improved resource management

Admins can now control the number of records for a Mongo MapReduce operation to avoid processing delays and meet SLA requirements if resources are tight or the amount of data is high. A new maxBatchSize configuration property is available in the Admin Console at Configuration > com.soa.persistence.mongodb > persistence.mongodb.rollup.maxBatchSize. The default setting is 10,000.

Support ticket: No related support tickets.

New AllowListedCrossSiteScripting policy in Policy Manager

A new operational policy, AllowListedCrossSiteScripting, replaces the WhiteListedCrossSiteScripting policy in Policy Manager under Registry > Policies > Operational Policies > AllowListedCrossSiteScripting. Existing WhiteListedCrossSiteScripting policies will be retained.

Support ticket: No related support tickets.

Customization samples available to download from the Customizations page

A zip file of the customization samples is now available to download from the Customization page, accessed via More > Admin > Customization > Download Customization Samples.

Support ticket: No related support tickets.

Assign a policy at the operation level

Assigning a policy to a specific operation in an API implementation, rather than to the entire implementation, is now supported. See How do I assign policies to my API implementation? on the Akana documentation site. This functionality is also supported in the Test Client, both in the context of the Community Manager developer portal and when Test Client is embedded in authored API documentation.

This resulted in changes in the request and/or response to some existing operations that manage information about policies attached to an API.

Previously, these operations used the Policies model object, whether directly or nested within another model object. The Policies object includes an array of information about one or more policies attached to the service. These operations now use additional information, to accommodate policy attachments at the operation level in the developer portal and the APIs:

  • Policy[ ]: An array of information about one or more policies attached to the service
  • ApiOperationPolicy[ ] : An array of information about the operation and about one or more policies associated with it

Modified operations include:

ApiVersion:

TargetAPI:

TargetAPI (field TargetAPI inside ApiVersion; see above)

APIImplementation:

Support ticket: SUPPORT-36137, SUPPORT-3459

Get Contract Versions API supports pagination

The Get Contract Versions API, GET /api/apis/versions/{APIVersionID}/contracts), now supports pagination using start and count optional query parameters.

Support ticket: SUPPORT-35863

Bonita theme now includes an API Access Wizard

In Bonita theme, you can request access to APIs using the API Access Wizard, just as you can in Hermosa theme, available via an "Access" button on the API Details page.

Support ticket: No related support tickets.

Bonita theme adds support for authored documentation

In versions prior to 2020.2.0, Bonita theme supported viewing generated documentation in Swagger 2.0 and OAS 3.0, but not authored documentation. In version 2020.2.0, Bonita also supports viewing authored API documentation that has been uploaded, including all aspects of API documentation functionality. For more information, see Bonita theme: API functionality on the Akana documentation site.

Support ticket: No related support tickets.

Policy Manager Real Time Charts no longer use Adobe Flash

The Real Time Charts in Policy Manager no longer use the Adobe Flash Player, which Adobe stopped supporting on December 31, 2020. The new, improved versions display similarly to earlier, Flash-based charts.

Support ticket: No related support tickets.

Latency when querying MongoDB for service data

Filtering usage data by service has been improved by correcting the improper use of an index.

Support ticket: SUPPORT-34899

Support for Elasticsearch version 7.9.x

Support for Elasticsearch version 7.9.x has been added. Previous versions of Elasticsearch are incompatible with the API Platform, and support for the Elasticsearch Transport Client has been removed. Users must upgrade servers to Elasticsearch 7.9.x, as follows:

1. Upgrade Elasticsearch servers to use version 7.9.x.

2. Configure/Update REST Client URL (s) in:
Admin Console > Configuration > "Configure Elasticsearch Global Configuration".

3. Delete the old indices by name or delete all indices using "_all":

curl -XDELETE 'http://<ES_HOST>:<ES_PORT>/_all'

4. Reindex all the objects:
Run the following query to reindex all the objects.

delete from INDEX_STATUS;

Support ticket: SUPPORT-32942, SUPPORT-33935

Envision: Exporting charts functionality has been removed

Exporting a chart as an image, previously available from several Envision dialogs, has been removed to avoid potential security issues.

Support ticket: SUPPORT-2383, SUP-17757

Search capability added to the Policies page for an organization

On the Policies page, accessed in the Community Manager portal via Organizations List > choose an organization, search tools are now available to help locate a policy.

Support ticket: No related support tickets.

Policy Manager: Dependency Map has been removed

Policy Manager's Dependency Map has been removed from the UI, previously available at Services > Monitoring > Dependencies.

Support ticket: No related support tickets.

Process Editor now available from API Details page

The Process Editor, previously accessed only via the API > Implementations page, is now available from the API Details page. To open it, choose API > Details > Design section > specific operation, Actions drop-down; then select Edit Live Process or Edit Sandbox Process.

Support ticket: No related support tickets.

JRE version security patch updated

The JRE version 1.8 has been updated with the latest security patch, version 8u265.

Support ticket: No related support tickets.

New SMTP task sets SMTP properties

A new Admin Console task, "Configure SMTP server settings for email sending," sets SMTP properties via automation recipes. To run the task in automation, use the recipe file tasks/smtp-settings.json.

Support ticket: SUPPORT-33864

Envision: Chart creation now features UI guidance on filters that could improve analytics performance

When creating charts in Envision, certain selections can negatively impact analytics performance; for example, filtering by an unnecessarily broad time range would result in long loading times that present undesired data.

Envision chart creation has now been enhanced to:

  • Set default timestamp filters that focus on the most recent data.
  • Warn on potential time range mistakes; for example, a choice of a DAY interval with a timestamp filter greater than "1 WEEK FROM" the current date prompts a warning message to consider using the WEEK interval instead.
  • Warn to drill down at a finer granularity when building a drilldown chart.
  • Warn when using a TO_DATE filter that a FROM_DATE should also be added to avoid processing unintended historical data.

Support ticket: No related support tickets.

New automation recipe to update Elasticsearch index

If new Elasticsearch indexes are added or existing indexes are modified, a new automation recipe, cm-es-index-upgrade.json, is available to update the index. This recipe takes no parameters. See Updating the Elasticsearch index on the Akana documentation site for detail.

Support ticket: No related support tickets.

Envision: UI forms now identify all required fields with an asterisk

Any required fields in an Envision UI form are now clearly marked with an asterisk (*).

Support ticket: No related support tickets.

Envision: Dashboard displays chart loading information

The Envision dashboard now displays loading animation while each chart loads to provide a visual cue of progress.

Support ticket: No related support tickets.

Envision: Ability to edit a chart without first previewing it

The ability to edit a chart without first running a preview has been added. This can avoid a wait when charts take a long time to load.

Support ticket: SUPPORT-2579, SUP-17954

Deprecations and Removals for 2020.2.0

Default Theme is removed with 2020.2.0

Default Theme was deprecated in 2020.1.0 and has now been removed from the UI. If you are using Default Theme, it will continue to work as before, but it is not supported. All customers using Default Theme should move to the Hermosa Theme, and migrate any customizations. For example, port header customizations according to Community Manager: Migration Guide and Community Manager: Detailed Customization Document. Other customizations should continue to work, but style customizations are likely to be required.

Support ticket: No support ticket

Simple Developer theme is deprecated

The Simple Developer theme (Simple Dev) is deprecated and will be removed in a future major release. A newer theme, Bonita, also has a streamlined UI and provides read-only access to API information.

Support ticket: No support ticket

NTLMv1 is deprecated

The authentication protocol NT LAN Manager version 1 (NTLMv1) is deprecated; the platform now suppports NTLMv2.

Support ticket: SUPPORT-37466

Bug Fixes: 2020.2.0

Community Manager required fields did not display an asterisk

In the Community Manager developer portal, mandatory fields in the API documentation's Schema section for Swagger and Open API documents now properly display an asterisk (*).

Support ticket: SUPPORT-35475

API Details page did not display operation details

The API Details page did not fully populate with operation details for some APIs.

Support ticket: SUPPORT-39524

Community Manager SSO login to Open Banking could experience errors when retrieving trusted CA certificates

Single sign-on (SSO) logging for UK Open Banking could fail to return the trusted CA certificate when the database contained a very large number of CA certificates.

In the Admin Console, a new setting now provides control of the cache expiration interval allowed for trusted CA certificates, under Configuration > com.soa.subsystems > trusted.ca.cache.expireIntervalMillis. The default is 60,000 milliseconds, or one minute. It's recommended to increase the cache time to 5 to 10 minutes. Restart is not required for the configuration to take effect.

The SQL prepared statement used with all the possible context paths for the public certificates is rounded up to the nearest 100. The statement can be profiled based on the number of public certificates in the system. For example, for 620 or 667 public certificates, profile the SQL for 700.

Support ticket: SUPPORT-36496

Jetty setting context.manager.maxFormSize did not work for default value

The Jetty transport setting that controls the maximum number of bytes allowed in a form returned errors when the default value of 0 was set. A default of 0 should allow 200,000 bytes, but the request was instead erroneously rejected. This setting is accessed in the Admin Console under com.soa.platform.jetty > context.manager.maxFormSize.

Support ticket: SUPPORT-34297

Next Hop URL missing for SOAP service failures

For a SOAP service failure when an HTTP error 500 Internal Server Error was returned, the Policy Manager usage logs contained an empty Next Hop URL field.

Support ticket: SUPPORT-34119

Defining a role in Policy Manager could display incorrect domains

The Policy Manager "Manage Role" function could display unsupported domains for selection in the "Within" dropdown (Policy Manager > Registry > Security tab > Manage Role). Now, only LDAP, Active Directory, or the local domain are displayed.

Support ticket: SUPPORT-37214, SUPPORT-37450

For OpenAPI 3.0 or Swagger 2.0, a complex, compound schema could display operation details incorrectly

When using OpenAPI 3.0 or Swagger 2.0, an API description document with complex, compound schemas containing keywords allOf, anyOf, or oneOf could result in a malformed display of operation details.

Support ticket: SUPPORT-38857

Network Director: Script execution allowed requests for unsupported script languages

Script execution is now validated at runtime against the engine types listed in com.soa.script.framework.properties in the Admin Console for Network Director. If the script type is not found in the script.engine.manager.engines properties list, script execution will fail.

Support ticket: No related support tickets.

The Sign Up page could fail to load when images were enabled on login domains

When trying to open the Sign Up page by clicking the Create Account tab in the Community Manager developer portal, the page could fail to load and would display an error if images or logos were in use for any enabled login domains.

Support ticket: SUPPORT-36489

A vulnerability in the Admin Console could result in an SSRF attack

A vulnerability was identified in the Admin Console that could have resulted in a Server Side Request Forgery (SSRF) attack.

Support ticket: SUPPORT-37566

Network Director connections could hang in CLOSE_WAIT state

In certain scenarios, the connections on Network Director could hang in a CLOSE_WAIT state, resulting in socket timeout exceptions for the clients. The Jetty server upgrade has addressed this issue.

Support ticket: SUPPORT-35839, SUPPORT-32186, SUPPORT-36814

External OAuth Provider Domain: Documentation clarification re X.509 Certificate URL

In some cases, there were problems in accessing the X.509 certificate URL for the External OAuth Provider domain. The platform requests the certificate using a POST API call, and the X.509 certificate URL must support POST requests. The documentation has been updated to clarify this requirement (External OAuth Provider Access Token Validation page, Signing Keys field).

Support ticket: SUPPORT-21712

OpenAPI 3.0 API documentation could display invalid Content-Type

When using OpenAPI 3.0, the API documentation could display an invalid Content-Type in the request body when viewing the documentation via the APIs > My APIs > choose API > Documentation tab.

Support ticket: SUPPORT-38035

HTTP request smuggling vulnerability

A possible HTTP request smuggling vulnerability has been addressed by the Jetty server upgrade.

Support ticket: SUPPORT-28819

Jetty version has been upgraded to 9.4.31

The version of Jetty bundled with the Akana API Platform has been updated to 9.4.31.

Support ticket: SUPPORT-29284, SUPPORT-29395, SUPPORT-26187, SUPPORT-20513, SUPPORT-32186, SUPPORT-28819

UI enhancements to the API or App Details page

In the Community Manager developer portal, several enhancements have been made to the API Details and App Details pages for improved usability:

  • For the Bonita theme:
    • The left navigation bar Analytics entry on the API or App Details page now includes sub-menu entries Overview, Charts, Logs, and Licenses.
    • The Analytics section on the API Details page now provides access to license monitoring at APIs > My APIs > choose API > Analytics > Licenses.
  • On all themes on the API Details page, the Edit button has been moved into the API Description pane rather than above it.

Support ticket: No related support tickets.

Metrics API sometimes returning incorrect value

The Get Metrics API (GET /api/apis/versions/{APIVersionID}/metrics) was sometimes returning the wrong value for totalRequestSize and totalResponseSize.

Support ticket: SUPPORT-36498

RAML Parser upgraded from 0.8.7 to 0.8.40

The RAML Parser jar version has been upgraded from 0.8.7 to 0.8.40 to ensure proper API creation when importing a RAML file.

Support ticket: SUPPORT-37007

The "Comment on Ticket API" did not send notifications to the creator of a ticket

When adding a comment to a ticket using the Comment on Ticket API, POST /api/tickets/{TicketID}/comments, no notification was sent to the ticket creator. Notifications are now properly sent.

Support ticket: SUPPORT-34312

Invalid username could result in a security vulnerability

In some cases, an invalid username could be inserted into an LDAP query, resulting in an application exception and a subsequent LDAP injection vulnerability.

Support ticket: SUPPORT-2390, SUP-17764

Lifecycle Repository Runtime Configuration did not update extended metadata

When extensible metadata is enabled in the developer portal, the Lifecycle Repository Runtime Configuration did not always reflect updated metadata values for an API. Now asset properties are appropriately updated in the database before the Runtime Configuration is invoked.

Support ticket: SUPPORT-35841

Envision: Some data written to the database could alter the JSON response

In some cases, data written to a MongoDB database could include literal backslash escape characters, resulting in an alteration of the JSON response and a potential security threat. Now, all Envision APIs validate input appropriately before writing to the database. Any data out of spec returns an HTTP 400 Bad Request error.

Support ticket: SUPPORT-2384, SUP-17758, SUPPORT-2385

Deleting an organization produced an error when Lifecycle Repository was enabled

When Lifecycle Repository is installed and enabled, deleting an organization in Community Manager could fail.

Support ticket: SUPPORT-36083

UI upgrades to theme headers and footers

The header and footer logos in all themes have been updated for consistency. The DevOps theme header is now consistent with the Bonita theme.

Support ticket: No related support tickets.

Creating multiple APIs concurrently could result in deadlock

When creating multiple APIs concurrently, database deadlock could result in some cases. The possibility of database deadlocks has now been reduced.

Support ticket: No related support tickets.

Lifecycle Coordinator topology PUT method could fail

Invoking the PUT method for the TopologyAPI did not properly update the "topologyTenants" property in the table "INSTALLPROPS" for all tenants.

Support ticket: SUPPORT-20605