Major Release 2022.1.2

April 17, 2023

In this release:

• Major Release 2022.1.2
• Key Features: 2022.1.2
• Enhancements: 2022.1.2
• Known Issues 2022.1.2
• Bug Fixes: 2022.1.2

Key Features: 2022.1.2

Support added for AWS CloudHSM

This release adds support for AWS CloudHSM (hardware security module). CloudHSM support includes management of identities and certificates via APIs:

APIs that assign PKI keys:

• Assign PKI keys to Akana PM/ND containers
  POST /rest/containers/<container_key>/pki/assign
• Assign PKI keys to Akana PM/ND container's Outbound
  POST /rest/containers/<container_key>/pki/outbound/assign
• Assign PKI keys to Akana container’s Inbound listeners
  POST /rest/containers/<container_key>/listeners/<listener_name>/pki/assign
• Assign PKI keys to Akana user
  POST /rest/users/<user>/pki/assign
• Assign PKI keys to Akana service
  POST /rest/services/<service_key>/pki/assign
• Assign PKI keys to tenant theme
  POST /api/tenants/<tenant_id>/themes/<theme_name>/pki/assign

APIs that manage certificates:

• Add a certificate (.cer) to Akana’s Trusted store
  POST /rest/trustedca/certificates/
• Upload all the certificates in a given keystore to Akana’s Trusted store
  This api supports both JKS and PKCS12 file format.
  POST /rest/trustedca/certificates/keystore
• List all the certificate from Akana’s trusted store
  GET /rest/trustedca/certificates/
• List a certificate for a given alias from Akana’s trusted store
  GET /rest/trustedca/certificates/<alias>
• Delete a certificate from Akana’s trusted store
  DELETE /rest/trustedca/certificates/<alias>
• Delete all the expired certificates from Akana’s trusted store
  DELETE /rest/trustedca/certificates/expired

Enhancements: 2022.1.2

Improved JOSE Security v2 policy responses

When the crit header is missing, the JOSE Security v2 policy will respond with the HTTP response status code "401 Unauthorized" and the message "Authentication error. crit header is missing."

In addition, the changes below apply to both Detached Non-OpenBanking and Non-Detached Non-OpenBanking scenarios:

• With Protection Scope selected as IN and OUT; IN Message -> Signed Content is selected, OUT Message -> Sign Content is selected, the policy now returns application/json as response Content-Type for 200, 401, and 500 HTTP response status codes. If Protection Scope includes FAULT response, the Content-Type remains the same; i.e., the policy returns application/json as the response Content-Type.
• With Protection Scope selected as IN, OUT; IN Message -> Signed Content and Encrypted Content is selected, OUT Message -> Sign Content and Encrypt Content is selected, the policy returns application/jose as response Content-Type for 200 HTTP response status codes. For 401 and 500 HTTP response status codes, the policy returns application/json as the Content-Type. If Protection Scope includes FAULT, then 401 and 500 HTTP response status codes also cause the policy to return application/jose.

Case number: 00634481

Support ticket: SUPPORT-45684

MongoDB index creation has been optimized

Creating MongoDB indices now uses asynchronous APIs to improve performance and avoid situations in which execution could be blocked. Additional log statements have been added to monitor the status of index creation, including "Creating index [index_name]," "Created index [index_name]," and "Index creation failed for [indexName]."

Support ticket: No related support tickets.

Elasticsearch Log Appender Plug-In now supports secure connections

Support has been added to support TLS connections with the Elasticsearch Log Appender.

Support ticket: No related support tickets.

Container now supports secured connections to Elasticsearch

Akana is now configured to connect securely to Elasticsearch 8.5.3 using credentials and certificates.

Support ticket: No related support tickets.

PKCE now supported for PingFederate external OAuth provider

When using the PingFederate version 9.x or above as the external OAuth provider, PKCE (Proof Key for Code Exchange) is now supported for authorization. This is configured in the OAuth Profile Authorization settings for the app, usually by a site admin.

Case number: 00634360

Support ticket: SUPPORT-48634

JOSE policy modifications

In 2022.1.2 the following plugins have been merged into the Akana core product:

• Akana JOSE Security Profile for RSA Adaptive Authentication for eCommerce
• Akana JOSE Security Profile for UK Open Banking
• Akana JOSE Security Profile for VISA Token Services
• Akana Enhanced JOSE Security Policy Plug-In for Network Director

Any existing XML JOSE Extension Policy will continue to work seamlessly as an XML based policy and not as a JOSE Profile-Driven Security policy that is created from the Community Manager UI.

Similarly, any existing JOSE Profile-Driven Security policies will continue to work seamlessly as JOSE Profile-Driven Security policies.

Support ticket: No related support tickets.

MongoDB indexes updated to avoid latency when accessing logs

Updates have been made to the MongoDB indexes to address timeout and latency issues when retrieving analytics log data.

Case number: 00826021

Support ticket: No related support tickets.

Elasticsearch now defaults to enabling TCP keepalives

To avoid timing out HTTP connections between search requests, Elasticsearch now defaults to enabling TCP keepalives. Note that this just enables the Elasticsearch client to use the keep-alive functionality. You may still need to modify your server sysctl settings, as described in the Elasticsearch issue "Enable TCP keepalives by default in Java REST clients #65213."

Case number: 00602431

Support ticket: SUPPORT-48512

New automation recipe for configuring an external keystore

A new automation recipe has been provided to configure an external keystore, used to manage all the PKI keys and certificates for a container. See Automation Examples in the Akana online documentation.

Support ticket: No related support tickets.

MongoDB 4.4 support

Support has been added for MongoDB 4.4.

Case numbers: 00829271, 00826021, 00771286

Support ticket: No related support tickets.

ElasticSearch 8.5.x support

Akana 2022.1.2 has added support for ElasticSearch 8.5.x. See System Requirements in the Akana online documentation.

Support ticket: No related support tickets.

Policy attachments/detachments to APIs can now trigger alerts

Any change in terms of policies attached to or detached from an API can now trigger an alert. Custom alert codes can be created using the Add Alert Code function. See "How to define an Alert Code to Audit an Event section" in the online help at http://help.akana.com/content/current/ag/alerts/using_alert_codes.htm for more information.

Case number: 00770203

Support ticket: SUPPORT-50624

The OpenID Connect configuration now displays more provider properties

The discovery URL/well-known configuration URL for OIDC now displays the id token signing algorithm, the id token encryption algorithm and the id token content encryption algorithm, based on the user's selection. Prior to this change, the well-known configuration displayed just the default list of algorithms.

Support ticket: SUPPORT-22663

Support for IPv6 when invoking downstream services

Internet Protocol version 6 (IPv6) (in addition to existing IPv4) address format is now supported for invoking downstream services.

Support ticket: No related support tickets.

New variable in automation recipe properties file controls the tenant protocol

A new property TENANT_SCHEME can be included in the pm-cm-all.properties file for the cm-tenant.json recipe to assign a protocol. HTTP is the default if not set. To change it to HTTPS, for instance, include the following in the properties file:

TENANT_SCHEME=https

Support ticket: No related support tickets.

SAML Web SSO is now supported on Hardware Security Module (HSM)

Policy Manager has added Hardware Security Module (HSM) support for the SAML Web SSO Domain setup.

Support ticket: SUPPORT-42350, SUPPORT-50455

Akana OAuth Provider publishes public keys with x5c claim in JWKS endpoint

Akana OAuth/OIDC Provider, JWKS URL now exposes the public key in the form of JWK (including kid, x5c, x5t, x5t#256) corresponding to the private key used to sign the access token. This is configured in Akana OAuth/OIDC Provider > Token (tab) > Reference Signing Key from Platform Identity. The "kid" value in JWK matches the "Reference Signing Key from Platform Identity" value.

Case number: 00617897

Support ticket: SUPPORT-27525, SUPPORT-27525

Default promotion timeout increased

When promoting an API between Community Manager instances via Lifecycle Coordinator, the default timeout has been increased from 2 minutes to 5 minutes.

Support ticket: No related support tickets.

Latency improved when querying MongoDB for service data

Filtering usage data by service has been improved.

Support ticket: SUPPORT-32488

Known Issues 2022.1.2

The Throughput Quota policy processes an extra request with the grid counter service

When the Throughout Quota policy is configured with a limit of x requests per time interval, the throughput limit exceeded error is returned for x + two requests instead of x + one request.

API Quota Usage charts are not returned at a license level with intervals in minutes

When a quota policy is attached to a license and the defined interval is in minutes, the API Analytics License page does not return charts for the API Quota Usage. The other charts on API Analytics License page return proper results.

JRE upgrade results in a new error message regarding untrusted certificates

After upgrading the JRE shipped with the product from 2019.1.36 to 2020.2, the error message returned for untrusted certificates changed.  The new version of the JRE returns a socket error rather than an error specific to an untrusted certificate. This is not a change in Akana; rather, it is a change in the JRE version.

Case number: 00797955

Envision Business Service Level Policy

The Business Service Level Policy generates only one alert even when multiple alerts are configured.

The Operational Aggregate Policy could fail when assigned at the operation level

The Operational Aggregate Policy could fail when assigned at the operation level using the HTTP Basic Authentication policy or the OAuth Security policy, returning an HTTP "401 Unauthorized access" error. 

Case number: 00847940

Container's Admin Console may report duplicate valid session cookie errors

The Admin Console of the container may intermittently display an error dialog reporting duplicate valid session cookies. The Admin Console may then become unresponsive or may return an an HTTP 404 error "File not found." Clearing browser cookies clears this error. 

Duplicate log entries for exceptions and JOSE Profile Policy

Any exception results in two identical stack traces written to the log file.

Additionally, when the JOSE Profile Policy is used and Forced Diagnostic Logging is turned on, the trace block is written twice and the second trace block has a stack trace appended even when there is no exception.

The Business Service Level Policy may not work properly when attached to an app

The Business Service Level policy is successfully applied when attached at the API level, but will not function as expected if attached while creating an App contract.

MongoDB data rollups

MongoDB Aggregation Pipeline support for data rollups was introduced in the 2022.1.0 release. In 2022.1.x versions, this is not supported for Akana customers upgrading from a 2020.x or earlier version. Aggregation support will be provided for these customers again in an upcoming patch release.

For Akana customers who are using MongoDB for the first time with their 2022.1.x deployment, Aggregation is supported.

MongoDB options are configured in the Admin Console under Configuration > Configuration Categories > com.soa.persistence.mongodb.

Search based on a tag fails for numeric characters

A search based on a tag fails if the tag search criteria includes numeric characters.

Bug Fixes: 2022.1.2

API delete operations required a payload with the JOSE v2 policy

No payload is required for delete operations on an API associated with the JOSE v2 policy (Unencoded Payload Support).

Case number: 00602226

Support ticket: SUPPORT-49032

Critical and high severity vulnerabilities fixed

All critical and high severity CVEs reported by Prisma through March 20 ^th, 2023, have been resolved.

Case number: 00772571

Support ticket: SUPPORT-51108

Increased default cache size for policy scripts

The default cache size has been increased to 1,500 to provide more consistent and reliable gateway performance in deployments with a large number of policy-based scripts and APIs.

Case number: 00841743

Support ticket: No related support tickets.

API name change in Community Manager not reflected in Policy Manager

When renaming an API in Community Manager, the name change on the physical, virtual, and design entities representing the API in Policy Manager may not have updated.

Support ticket: SUPPORT-2223, SUPPORT-29662, SUPPORT-1213, SUPPORT-42250, SUPPORT-44813

New API or app did not display version correctly in Policy Manager

After creating a new API or app in Community Manager, its initial version for the "Design entity" did not properly display in Policy Manager.

Support ticket: SUPPORT-2223

New API could not be viewed in API Designer

In Community Manager, a new API created with a YAML file was not properly displayed in the API Design and API Documentation pages.

Support ticket: No related support tickets.

Custom Bonita theme did not load after deleting the original theme

A custom theme created by cloning the Bonita theme did not load if the Bonita theme was subsequently deleted.

Support ticket: No related support tickets.

After upgrade, provisioning could time out using automation recipes when SiteMinder plugin was included

When upgrading to 2022.1.x and running automation recipes, provisioning could fail to complete, producing a timeout error when the SiteMinder plugin was included.

Case number: 00865285

Support ticket: No related support tickets.

Policy Manager wouldn't start when Siteminder plugins were installed

When the CA SiteMinder identity system was installed, Policy Manager could fail to start.

Support ticket: No related support tickets.

Automation recipe to upgrade indices did not correctly handle any index prefix

The automation recipe cm-es-index-upgrade.json has been updated to handle Elasticsearch indice upgrades when an index prefix is other than "default".

Now, this recipe determines the tenants' configured index name prefix and correctly upgrades the indices.

Case number: 00634516

Support ticket: SUPPORT-44772

Some indexes created by the schema update task were not run in the background

Some indexes created by the schema update task were not run in the background. This could cause MongoDB outage problems if there was a lot of data and the index creation was lengthy.

Support ticket: No related support tickets.

Error message was incorrect when client_id was missing from the token request

The Akana OAuth Provider token endpoint returned an HTTP "401 Unauthorized" error when the client_id value was missing from the token request. The error message has been corrected and is now an HTTP "400 Bad Request" error.

Support ticket: SUPPORT-50092

The openbanking_intent_id was not being returned

For the Akana OAuth/OIDC domain, the openbanking_intent_id was not properly returned.

Support ticket: SUPPORT-50090

PKCE security extension for OAuth does not require client secret

When using the PKCE security extension for OAuth with the Authorization Code grant type, getting the access token required the client secret. Now, the access token can be obtained without sending the client secret.

Case number: 00712935

Support ticket: No related support tickets.

Updated user details were not fully reflected for OpenID Connect domain

If existing users in an OIDC domain changed their details, those changes were not fully reflected in the database.

Case number: 00619260

Support ticket: SUPPORT-42390

Authentication error message incorrect in certain scenarios

If a mandatory parameter was not sent with the request when using the OAuth provider and HTTP Form-Based Authentication, a 400 Bad Request error was returned with an invalid_client error code. Now the returned error code has been changed to invalid_request error, which is more accurate.

Case number: 00769607

Support ticket: SUPPORT-50092

Oracle replication could fail due to production errors

If APIs or apps were deleted and the Oracle table UDDI_SERVICE did not have the DELETE CASCADE constraint set, the records in the child table UDDI_INST_DETAILS were not deleted, resulting in inconsistent behavior. Now, the DELETE CASCADE constraint has been added to the UDDI_INST_DETAILS table.

Case number: 00769624

Support ticket: SUPPORT-50188

After deleting an app, OAuth profile and access token remained available

When an app was deleted, its OAuth profile was still available, and requesting access could still return an access token to the app.

Case numbers: 00820078, 00820458

Support ticket: No related support tickets.

Possible authentication issues after product upgrade

Authentication between Network Director and Policy Manager could intermittently fail with an invalid credentials error, after upgrading to 2022.1.1.

Case number: 00764571

Support ticket: No related support tickets.

WSDL operation not correctly identified for some Content-Type HTTP headers

If a WSDL file included a parameter after the "action=" parameter (rather than after the operation) in the HTTP Content-Type header, the WSDL operation was not identified correctly, even though parameters should be allowed at this location in a WSDL file.

Case number: 00813334

Support ticket: No related support tickets.

Incorrect error header could be returned for the HTTP Security policy

If no certificate was sent when using the HTTP Security policy configured with Client Certificate, the returned error HTTP "401 Unauthorized" included an incorrect header that was specific to Basic Authentication.

Support ticket: No related support tickets.

Some operational and QoS policies were automatically removed

Changes to a physical service in Policy Manager could result in the automatic removal of Operational and/or QoS (Quality of Service) policies attached to the same physical service (a logical representation of an API/service external to the Akana API platform).

Case number: 00619475

Support ticket: SUPPORT-41793

Calls to APIs using the SPNEGO policy could fail

When using the SPNEGO Operational policy with the Kerberos Authentication policy, the service could not successfully get the Kerberos ticket (TGT) due to cache-refresh issues. This subsequently caused the API call to fail. The Kerberos ticket is now refreshed and cached after its expiration.

Support ticket: SUPPORT-46684

Some updates and imports were not updating the container

Various updates and imports were not updating the Network Director container, including the import of a new API, attaching new policies to APIs, or modifying the target endpoint. Now, these changes are reflected in Network Director without the need to restart the container.

Support ticket: No related support tickets.

Outdated Javascript library security vulnerabilities

The Javascript libraries with security vulnerabilities have been upgraded as follows:

• jQuery 3.6.1
• Handlebars 4.7.7
• momentjs 2.29.4

Case number: 00687904

Support ticket: No related support tickets.

Some real-time charts could appear malformed

Real-time charts for 15 and 60-minute intervals no longer appear malformed.

Case number: 00798440

Support ticket: SUPPORT-41878

Invoking the Ping service could return an error

An error is no longer returned after invoking the Akana Ping Support feature on either a Policy Manager or Community Manager container.

Support ticket: No related support tickets.

OAuth Client policy attached to Physical Service could fail without trace logging

When attached to the Physical Service (target), the OAuth Client policy worked only when trace logging was enabled in Network Director.

Case number: 00619471

Support ticket: SUPPORT-41804, SUPPORT-43789

Cached Policy Manager public key in Network Director could be invalidated

Communication between Network Director(s) and Policy Manager failed intermittently due to the cached Policy Manager public key in the Network Director(s) becoming invalid.

Support ticket: SUPPORT-49545

New config property controls a schema object's parsing depth

A new configuration property swagger.config.maxDepth has been added to com.akana.swagger, available in the Admin Console. This property defines how many levels down to parse a schema object's properties/schemas for OAS/Swagger APIs. The default is 10. Increasing the default level may impact performance with large APIs.

Support ticket: SUPPORT-49065

Inactive session timeout could be ignored if an active session timeout was also set

If both the active and inactive session timeout settings are set, the inactive session timeout setting could be ignored and in some cases, an error could be returned. Session timeout settings now work as expected.

Support ticket: SUPPORT-45430

Policy Manager could save the wrong organization type

When adding or modifying an organization in the Policy Manager Console, then selecting an organization type, in some cases the type was not saved correctly, resulting in a failure to load the organization overview.

Support ticket: No related support tickets.

Authentication policy creation allowed the selection of all customer domains

When creating an Authentication policy, the domain options incorrectly included all customer domains. Now, only domains associated with organization or tenant are available for selection.

Support ticket: No related support tickets.

Reimported API could be added to an incorrect organization

If an API was previously deleted and imported back into the tenant, the API was not placed in the correct API organization.

Support ticket: No related support tickets.

The Contracts API used inconsistent case for start query parameters

The GET /api/apis/versions/<apiVersionId>/contracts API mistakenly used title case Start and Count query parameters when all other methods use lower case start and count query parameters. Now, lower case start and count query parameters are allowed, while title case Start and Count have been retained for backward compatibility.

Support ticket: SUPPORT-35863

Uploaded images did not always save correctly in Community Manager

When uploading an image to the API Documentation page in Community Manager, the image was not saved properly in some cases.

Support ticket: SUPPORT-48664

Community Manager did not display an active policy if a draft had a later version date

When a draft version of a policy existed with a newer version than the active policy, the active policy did not display. Now, any policy that is active, regardless of whether there is a draft version that would supersede it, displays appropriately in the list of policies on the API Implementations > Edit Policies page.

Support ticket: SUPPORT-46680

Open API 3.0 version incorrectly returned in the Developer Portal

The Open API 3.0 version identified in the OAS 3.0 API definition in the API Designer of the Community Manager Developer Portal was returning an invalid version.

Support ticket: SUPPORT-45867