2022.1.3 Minor Releases

Minor Releases:

• 2022.1.3 Minor Releases
• 2022.1.3.3
• 2022.1.3.2
• 2022.1.3.1

2022.1.3.3

October 23, 2024

 

The "WebsiteAddress" field limit has been increased

When creating an App or modifying an App, the WebsiteAddress field character limit has been increased from 80 to 2048 characters. The WebsiteAddress field on an App OAuth Profile now also accepts 2048 characters, up from 64 characters in the UI.

Case number: 01245982

Revoke Token API worked incorrectly with Mongo DB

The Revoke Token API (PUT oauth/admin/token/revoke) did not work properly with Mongo DB. Now, API calls for which a token has been revoked will fail for both Mongo DB and RDBMS.

Case number: 01142496

 

2022.1.3.2

September 5, 2024

• Enhancements 2022.1.3.2

• Known Issues 2022.1.3.2

• Bug Fixes 2022.1.3.2

• Security Vulnerabilities 2022.1.3.2

Enhancements: 2022.1.3.2

TLS 1.3 support

Support for Transport Layer Security (TLS) protocol version 1.3 has been added, with cipherSuites TLS_AES_256_GCM_SHA384, and TLS_AES_128_GCM_SHA256, for incoming and downstream messages.

See the “Enabling TLS v1.2 and v1.3” and “Limit outbound SSL/TLS/Cipher support” in the Akana Platform Hardening Guide for details.

Case numbers: 00620892, 00796017, 00635554, 01202321

Support added for Oracle 23c, with some limitations

The Akana platform has added certification for Oracle 23c.

Due to some limitations with Oracle 23c, however, it is not yet certified with Lifecycle Coordinator, Lifecycle Manager, and Lifecycle Repository, which includes Promotions and Custom Properties.

Case number: No related case number

Header parameters can now be added to the Test Client security settings

When configuring the Test Client with security settings, one or more header parameters can now be added, both for internal and external OAuth providers. For detail, see the Akana documentation Test Client security settings: OAuth Policy.

Case number: 00678067

OpenID Connect Relying Party Domain allows additional parameters

The OpenID Connect Relying Party Domain now allows the option to configure additional parameters and to send them in the /api/login/ssoLogin call.

In addition, using Oracle Access Manager as the OIDC domain for single signon is now supported. For detail, see “OpenID Connect Support” on the Akana documentation website.

Case number: 01002120

Admin can configure signature validation for SAML Web SSO domain

An administrator now has the ability to configure signature validation for the SAML Web SSO domain to ensure enforcement of signature validation on a SAML response or assertion. See "SAML Signature Policy" and “Enforce signature validation for SAML Web Browser SSO login domain” in the Akana documentation.

Case number: No related number

Support added for IAM authentication

Akana adds support for using AWS Identity and Access Management (IAM) authentication tokens when accessing Amazon RDS (Relational Database Service) instances. When the IAM feature is enabled on the Amazon RDS instance, Akana communicates with the RDS instance using the IAM token instead of traditional database credentials. Akana has certified this feature with MySQL and Aurora MySQL-compatible databases.

Case number: 01049614

New configuration option in Admin Console for Jetty to manage its configuration

The Admin Console now has an option that allows the jetty transport to manage its configuration. This may provide improved container performance.

Set the value for following jetty configurations under com.soa.platform.jetty to -1, so that Jetty will calculate the values based on machine configurations.

• http.incoming.transport.config.acceptThreads

• http.incoming.transport.config.requestQueueSize

After upgrading, manually change the values for these properties to -1 to use this configuration.

See Configuration properties for the Jetty transport in the Akana documentation for more detail.

Standard and non-standard error codes are now available in analytics logs

The analytics logs filter "Status Code" included only standard error codes. Now, non-standard error codes have been added for cases in which other error codes are used; for example, 555, 556, and 557 are now available in the filter.

Case number: 01062506

Support added for AWS IAM Roles for Service Accounts

Support has been added for IAM (AWS Identity and Access Management) Roles for Service Accounts (IRSA) when using Amazon RDS (Relational Database Service).

Case number: 01161394

Known Issues: 2022.1.3.2

Duplicate alerts returned for missing or expired certificates

If a certificate is expired or not present in the trust store at both the container and service level, duplicate alerts could be returned.

Case number: No related case

Bug Fixes: 2022.1.3.2

Logging messages enhanced for easier troubleshooting

Akana has enhanced its alert descriptions to better identify connectivity issues for inbound and outbound requests. These include:

• SSL Handshake related errors

• Peer certificate validation errors during the SSL handshake

Enhanced alerts will help in troubleshooting OAuth providers and API gateway traffic.

Case numbers: 01162921, 01180895

Logs display repeatedly returned to the top

In the Community Manager developer portal, the display of an API's logs would repeatedly return to the top of the screen when viewing a log's expanded detail.

Case number : 01057294

The transport header view did not display all data

The transport header visible under Analytics > Logs was limiting the display. Now, the transport header is configurable with a maximum length is 4,000 characters, which is default value.

Case numbers: 01012033, 00615564

Jetty cipherSuites property was ignored

The value set for the http.incoming.transport.config.cipherSuites property in the com.soa.platform.jetty configuration was not being considered.

Case number: No related case

Removing a Detailed Auditing policy could fail

Removing a Detailed Auditing policy from the tenant organization level could return a database SQL exception.

Case number: 01112667

JOSE Security Policy was experiencing performance issues

Some performance issues were experienced with the JOSE Profile Security Policy because the certificate chain was being validated twice during policy enforcement, in some cases. This has been addressed and should result in a performance improvement.

Case number: 01135025

Using Okta as an external OAuth provider could produce a general system error

When using Okta as an external OAuth provider, the "audience" field was not being passed properly, resulting in a general system error.

Case number: 00991749

Container logs could contain duplicate entries or have incorrect timestamps

The logs for a container sometimes contained duplicate entries, or the millisecond (ms) timestamp could be incorrect.

Case numbers: 01071552, 01043327, 00970405, 01116094

Audit log for the HTTP Caching Policy does not include all data

When using the HTTP Caching Policy, the contract information was not displayed in the audit log.

Case number: 00620140

Incorrect alert notifications in some situations

An incorrect alert code 9031 and alert message (Cannot establish connection to [{0}] because it cannot be trusted) could be produced for a target API SSL connection error.

A new alert code 9033 and alert message (Connection to [{0}] cannot be established due to a SSL Exception, which may indicate either an SSL handshake error or IO error) has been added to handle this case.

Case number: 01130776

Database connection leaks for Policy Manager could occur in certain conditions

The number of active database connections were increasing in certain environments, causing the connection pool to get exhausted at times.

Case number: 00803115

My Apps page did not update APIs connected count after deleting an API

In the Community Manager Developer Portal, deleting an API did not correctly decrement the number of apps displayed under "APIs Connected" on the My Apps page.

Case number: No related case

Basic Auditing Policy did not correctly display in the Developer Portal

The Basic Auditing Policy did not properly display "Verb" and "Status" as well as "partial request" and "partial response."

Case number: 00969635

HTTP Message Validation policy fails for multipart form data request

For a request containing the multipart form data in the body, the HTTP Message Validation Policy could fail.

Case numbers: 00895061, 01115810

Shared secret with special characters could be unreadable

When creating a shared secret for an app in the Community Manager portal, the secret could be saved in an unreadable format if it contained special characters.

Case number: 00900221

HTTP Caching Policy could return an error when sending an OPTIONS request

An HTTP Caching Policy attached to an API could result in a null pointer exception error when sending an OPTIONS request for preflight.

Case number: 01068547

After upgrading, could not log into the Developer Portal using an OIDC domain

After upgrading, logging into the Developer Portal using an OpenID Connect Relying Party (OIDC) domain could return an error.

Case number: No related case

Some OAuth grant types were not working with SAML Authentication Domain

When using SAML authentication for Akana OAuth provider, an access token was not being successfully generated for Authorization code grant type.

Case number: No related case

New config property controls the frequency of resource caching

Automatic resource caching (resources being all static and other resources in a container, including users, groups, APIs, apps, board items, etc.) can now be configured to avoid circumstances in which a very large cache can result in poor performance while refreshing.

Use the new Admin console property atmosphere.config.staticVisibilityRelationshipCacheInDays within the com.soa.atmosphere configuration to set both the number of previous days to refresh and the frequency of the job.

Case number: No related case number

Security Vulnerabilities: 2022.1.3.2

Critical vulnerability detected in cloud and own hosted systems

CVE 2024-2796: Akana has introduced the following security measures:

• Configured the denied hosts list for all containers hosting the Akana Community Manager portal. See the discussion Denied Hosts under “Prevent forward proxying” in the Platform Hardening Guide.

• Enforced that developers first log into the portal before invoking APIs hosted on Network Director from the Test Client or API documentation.

• Ensured that a user session is ended within 20 seconds if that user is disabled or locked by the site administrator.

In addition, users are strongly advised to review the security settings for Akana deployments discussed in the Platform Hardening Guide, specifically the settings that prevent forward proxy to protect cloud-based Akana deployments and hardening settings.

Case numbers: 01130450, 01134231

XML External Entity vulnerability

CVE-2024-3930: The possibility of an XML External Entity attack was reported, which can result in the server hosting the Developer Portal making calls to arbitrary servers, also resulting in a Server Side Request Forgery (SSRF).

Additional security settings have been introduced in Community Manager to skip external entity references from an API specification for XXE prevention. Please refer to the Platform Hardening Guide, section “Skipping external entity references from API specification for XXE prevention.“

In addition, two API WSDL endpoints have been deprecated to avoid this issue:

• GET /api/dropbox/wsdls?wsdlUrl={url}

• POST /api/dropbox/wsdls

Case number: 01134229

SAML replay attack

CVE-2024-5249: A SAML replay attack was possible in certain situations. To address this vulnerability, at SSO login, Akana now maintains the IDs in the database so it can access them and stop a perceived attack.

Case number: 01148148

2022.1.3.1

January 17, 2024