Major Release 2024.1.0

July 30, 2024

• Major Release 2024.1.0
• Key Features: 2024.1.0
• Enhancements: 2024.1.0
• Known Issues: 2024.1.0
• Bug Fixes: 2024.1.0

Enhancements: 2024.1.0

Access Token encryption key rotation is supported in External OAuth provider domain

The Akana External OAuth Provider domain now supports configuring multiple identities as encryption keys. Configure multiple identities on the External OAuth Provider Access Token Validation page, and choose "Supports Encryption / Reference encryption keys from an existing platform identity."

This feature will enable JWT encryption key rotation on External OAuth Provider. During the key rotation period, the current identity (close to expiration) and the new identity (after expiration) will be used to decrypt the token. Key rotation will not require any downtime.

This feature requires the OAuth provider to include kid in the header of the JWT access_token.

For detail, see “How do I configure encryption key rotation for an External OAuth Provider domain?” in the Akana documentation.

Case number: 00844863

New configuration option in Admin Console for Jetty to manage its configuration

The Admin Console now has an option that allows the jetty transport to manage its configuration. This may provide improved container performance.

Set the value for following jetty configurations under com.soa.platform.jetty to -1, so that Jetty will calculate the values based on machine configurations.

• http.incoming.transport.config.acceptThreads

• http.incoming.transport.config.requestQueueSize

After upgrading, manually change the values for these properties to -1 to use this configuration.

See Configuration properties for the Jetty transport in the Akana documentation for more detail.

Support added for Oracle 23c, with some limitations

The Akana platform has added certification for Oracle 23c.

Due to some limitations with Oracle 23c, however, it is not yet certified with Lifecycle Coordinator, Lifecycle Manager, and Lifecycle Repository, which includes Promotions and Custom Properties.

Case number: No related case number

Support added for IAM authentication

Akana adds support for using AWS Identity and Access Management (IAM) authentication tokens when accessing Amazon RDS (Relational Database Service) instances. When the IAM feature is enabled on the Amazon RDS instance, Akana communicates with the RDS instance using the IAM token instead of traditional database credentials. Akana has certified this feature with MySQL and Aurora MySQL-compatible databases.

Case number: 01049614

Support added for AWS IAM Roles for Service Accounts

Support has been added for IAM (AWS Identity and Access Management) Roles for Service Accounts (IRSA) when using Amazon RDS (Relational Database Service).

Case number: 01161394

Enhanced support for Content-Type application/jose in API specification

Support has been expanded for the content-type application/jose defined in the OAS specification. If an API specification has content type application/jose or application/jose+json defined for any path, Akana now recognizes the content type and processes the request.

Case numbers: 00944314, 00977376

Updating Policy Manager keys no longer requires the Gateway to restart

When changing the Policy Manager keys (Manager > Configure > Security > Details > Manage PKI keys), the Akana Gateway can now receive an updated Policy Manager certificate without a restart. Prior to this change, a restart was required.

Case number: 00616796

Apps will not be deleted from PingFederate after deleting APIs in some cases

In some cases, an app could be deleted when contracted to more than one API. This could occur when one of the APIs was subsequently deleted. After this enhancement, apps will not be deleted in this case.

Case number: 01011211

Alerts can be configured for PingFederate Client Registration status

Akana now generates alerts for PingFederate Client Registration scheduled job success and error results. New alert codes 610000, 610001, 610002, and 610003 have been added for this purpose. For detail, see the Akana documentation "How do I monitor the PingFederate Client Registration Status?"

Case number: 01062506

Alerts are now triggered for policy changes

Alerts are now generated when a policy is updated or attached/removed from an API in the Community Manager. New alert codes 710000 and 710001 will be used for this purpose. If the email group for the alert codes are configured by the admin, then email can also be received for these changes. Please refer to Alerts and email notifications for policy changes in the Akana documentation for the details.

Case number: 00896923

Alert email subject change

The subject of email alerts has changed and will now contain a prefix "Akana Alert" followed by the alert severity, alert code, and alert description.

Certificate Expiration reminders are configurable for a non-HSM environment

Support has been added for certificate expiration notifications, with the exception of the use of a hardware security module (HSM). For detail, see the Akana documentation "Managing Certificate Expiration Alerts."

After upgrading to 2024.1.0, review your setup as per the Managing Certificate Expiration Alerts and if not already set, set up the email recipient for the alerts.

Case number: 00604902

New config property controls the frequency of resource caching

Automatic resource caching (resources being all static and other resources in a container, including users, groups, APIs, apps, board items, etc.) can now be configured to avoid circumstances in which a very large cache can result in poor performance while refreshing.

Use the new Admin console property atmosphere.config.staticVisibilityRelationshipCacheInDays within the com.soa.atmosphere configuration to set both the number of previous days to refresh and the frequency of the job.

Case Number: No related case.

New errors-only log file

A new log file stderr.log has been introduced, in addition to the existing stdout.log, to capture only errors. This can be useful to debug SSL handshake errors when a container is started with System property -Djavax.net.debug=ssl:handshake or -Djavax.net.debug=all. For example:

./startup.sh gw-1 -Djavax.net.debug=ssl:handshake -bg

Case number: No related case

Header parameters can now be added to the Test Client security settings

When configuring the Test Client with security settings, one or more header parameters can now be added, both for internal and external OAuth providers. For detail, see the Akana documentation Test Client security settings: OAuth Policy.

Case number: 00678067

Standard and non-standard error codes are now available in analytics logs

The analytics logs filter "Status Code" included only standard error codes. Now, non-standard error codes have been added for cases in which other error codes are used; for example, 555, 556, and 557 are now available in the filter.

Case number: 01062506

Admin can configure signature validation for SAML Web SSO domain

An administrator now has the ability to configure signature validation for the SAML Web SSO domain to ensure enforcement of signature validation on a SAML response or assertion. See "SAML Signature Policy" and “Enforce signature validation for SAML Web Browser SSO login domain” in the Akana documentation.

Case number: No related number

Bug Fixes: 2024.1.0

ICAP Exception could be overridden by an NPE when using the Anti-Virus Policy

When using the Anti-Virus Policy, if an ICAPException occurred, it could be overridden by a NullPointerException (NPE), causing the ICAPException to be hidden.

Case number: 01108416

The HTTP Message validation policy did not support the nullable attribute for OpenAPI

Using the attribute nullable with OpenAPI could result in a validation error when sending a request with a null value using the HTTP Message validation policy.

Case number: 00942600

Concurrency Quota Policy cannot recover from validation failure when combined with another policy

When using the Concurrency Quota Policy with any other policy that validates a response, any failure of that validation results in a state from which it cannot recover without rebooting the API Gateway.

Case number: 00987844

Incorrect alert notifications in some situations

An incorrect alert code 9031 and alert message (Cannot establish connection to [{0}] because it cannot be trusted) could be produced for a target API SSL connection error.

A new alert code 9033 and alert message (Connection to [{0}] cannot be established due to a SSL Exception, which may indicate either an SSL handshake error or IO error) has been added to handle this case.

Case number: 01130776

After converting OAS 3.0 to Swagger 2.0, examples tags did not convert properly

Examples for API paths created using OAS 3.0 when converted to Swagger could fail to return error code examples.

Case number: 00896402

Container logs could contain duplicate entries or have incorrect timestamps

The logs for a container sometimes contained duplicate entries, or the millisecond (ms) timestamp could be incorrect.

Case numbers: 01071552, 01043327, 00970405, 01116094

Combining some policies and configurations could fail to log the response body

When configuring the Detailed Auditing Policy for failure and the Basic Auditing Policy for success, and then sending the request for any API, the response body was logged only in the case of failure.

Case number: 01024495

HTTP Message Validation policy could trigger an error given certain conditions

When configured with the "Fail Early" setting, the HTTP Message Validation policy failed to validate the message value against oneOf, allOf, or anyOf subschemas.

Case number: 01022402

AtmoAuthToken not invalidated for disabled or locked users

For all active sessions, the tenant-specific cookie AtmoAuthToken will now get invalidated within 20 seconds if the user is disabled or locked by an admin.

Case number: No related cases.

Fault headers were not downloaded properly or visible in the UI

On the API documentation page when downloading a JSON API, the fault code headers were incorrectly combined with the response code 200, while the headers of the actual response code remained empty. Correct headers are now retained for each response code.

Case number: No related case

For HTTP Message Validation using OAS, the array type was not validating correctly

For APIs using OAS, the array type was not validated correctly when using the HTTP Message Validation Policy.

Case number: No related case

Logs display repeatedly returned to the top

In the Community Manager developer portal, the display of an API's logs would repeatedly return to the top of the screen when viewing a log's expanded detail.

Case number : 01057294

Updating the context path no longer automatically updates the WSDL port name if the port name already exists

When updating the context path of an API, the Developer Portal automatically updates the WSDL port name for that API. If an application has already set the WSDL port name, this automatic update could change the port name and therefore result in a failure to consume the API. Now, the portal checks if a WSDL port name already exists; if so, it is not updated.

Case number: 00947521

SOAP services returned a 404 error when "Bind to all interfaces" was not selected

SOAP services returned an HTTP 404 error "File not found" when "Bind to all interfaces" was not selected on API Gateway listeners. Now, a SOAP service works even when unchecking "Bind to all interfaces."

Case number: No related case

Analytics logs could omit seconds in the timestamp

In some cases, Analytics logs displayed only hours and minutes without seconds (i.e., HH:mm format rather than HH: mm : ss).

Case number: 01021245

Query could fail with an "invalid relational operator" error

When using the OAuth Security policy, a SQL query could fail with an "invalid relational operator" error.

Case number: 00768262

Database connection leaks for Policy Manager could occur in certain conditions

The number of active database connections were increasing in certain environments, causing the connection pool to get exhausted at times.

Case number: 00803115

After upgrade, SQL queries could result in long delays

After upgrading to 2022.1.2, some SQL queries could take more than 30 seconds during the provisioning part of installation.

Case numbers: 01031006, 01029202

Exporting a large volume of services could fail when using Oracle

In Community Manager, exporting organizational data could fail for organizations with more than 1,000 APIs or Apps when using Oracle.

Case number: 00904852

HTTP Caching Policy could return an error when sending an OPTIONS request

An HTTP Caching Policy attached to an API could result in a null pointer exception error when sending an OPTIONS request for preflight.

Case number: 01068547

The transport header view did not display all data

The transport header visible under Analytics > Logs was limiting the display. Now, the transport header is configurable with a maximum length is 4,000 characters, which is default value.

Case numbers: 01012033, 0061556

Using Okta as an external OAuth provider could produce a general system error

When using Okta as an external OAuth provider, the "audience" field was not being passed properly, resulting in a general system error.

Case number: 00991749

HTTP Security Policy with JWT Bearer Token option could fail in some scenarios

When using the HTTP Security Policy with an OAuth JWT bearer token, errors with validation could occur.

Case number: No related case

JOSE Security Policy was experiencing performance issues

Some performance issues were experienced with the JOSE Profile Security Policy because the certificate chain was being validated twice during policy enforcement, in some cases. This has been addressed and should result in a performance improvement.

Case number: 01135025

Shared secret with special characters could be unreadable

When creating a shared secret for an app in the Community Manager portal, the secret could be saved in an unreadable format if it contained special characters.

Case number: 00900221

Users with read-only access could have elevated permissions in certain cases

A user with read-only access on a domain was able to use the API POST /api/securitydomains.

After the fix:

• The POST API will return an HTTP 401 error if the user doesn’t have add privileges on a domain.

• The GET and PUT API will return an HTTP 401 error if the user doesn’t have read privileges on a domain, the domain is not accessible to the user, or the domain doesn’t exist.

Case number: No related case

SSL handshake could fail under load

When a gateway was operating under load, the SSL handshake could begin to fail. This has been addressed by adding support to allow Jetty to manage its properties acceptQueueSize, acceptThreads, and requestQueueSize, based on machine configuration. See the enhancement for this new Jetty configuration.

Case number: 00947437

The SAML Web SSO identity system could not be updated after some upgrades

After upgrading from 2020.2.x to 2022.1.3, modifying a SAML Web SSO identity system required that the user regenerate PKI keys and the x509 certificate.

Case number: No related case

My Apps page did not update APIs connected count after deleting an API

In the Community Manager Developer Portal, deleting an API did not correctly decrement the number of apps displayed under "APIs Connected" on the My Apps page.

Case number: No related case

Basic Auditing Policy did not correctly display in the Developer Portal

The Basic Auditing Policy did not properly display "Verb" and "Status" as well as "partial request" and "partial response."

Case number: 00969635

HTTP Message Validation policy fails for multipart form data request

For a request containing the multipart form data in the body, the HTTP Message Validation Policy could fail.

Case numbers: 00895061, 01115810

The regex pattern is not validated in all cases when using OAS

When using OAS, the regular expression pattern was not always validated.

Case number: 00900593

Missing "EncodingType" attribute from SOAP header on a downstream request

When sending an API request downstream, the "EncodingType" attribute was missing from the wsse:Nonce element in the SOAP header.

Case number: 01034891

Jetty cipherSuites property was ignored

The value set for the http.incoming.transport.config.cipherSuites property in the com.soa.platform.jetty configuration was not being considered.

Case number: No related case

FreeMarker template appears empty in Process Editor

When using the FreeMarker plugin in the Process Editor, a blank screen can display in both Community Manager and Policy Manager.

Case number: 01023338

Some OAuth grant types were not working with SAML Authentication Domain

When using SAML authentication for Akana OAuth provider, an access token was not being successfully generated for Authorization code grant type.

Case number: No related case

JOSE Security Policy v2 UK Open Banking 3.1 validation

The JOSE Security Policy's UK Open Banking 3.1 option now enforces a b64=false validation.

Case number: No related case

Bugs: Security Vulnerability Fixes

Critical vulnerability detected in cloud and own hosted systems

CVE 2024-2796: Akana has introduced the following security measures:

• Configured the denied hosts list for all containers hosting the Akana Community Manager portal. See the discussion Denied Hosts under “Prevent forward proxying” in the Platform Hardening Guide.

• Enforced that developers first log into the portal before invoking APIs hosted on Network Director from the Test Client or API documentation.

• Ensured that a user session is ended within 20 seconds if that user is disabled or locked by the site administrator.

In addition, users are strongly advised to review the security settings for Akana deployments discussed in the Platform Hardening Guide, specifically the settings that prevent forward proxy to protect cloud-based Akana deployments and hardening settings.

Case numbers: 01130450, 01134231

Broken SAML Validation

CVE-2024-3826: In Akana versions prior to and including 2022.1.3, validation is broken when using the SAML Single Sign-On (SSO) functionality. To address this vulnerability, Akana has introduced the following security measures:

• Updated SAML Web SSO domain configuration to configure security policy for SAML response and/or assertion validation

Case number: 01148146

SAML single sign-on errors could display vulnerable information

CVE-2024-5250: System errors regarding SAML single sign-on could include unnecessary internal details. Now, a generic response is returned.

Case number: 01148149

SAML replay attack

CVE-2024-5249: A SAML replay attack was possible in certain situations. To address this vulnerability, at SSO login, Akana now maintains the IDs in the database so it can access them and stop a perceived attack.

Case number: 01148148

XML External Entity vulnerability

CVE-2024-3930: The possibility of an XML External Entity attack was reported, which can result in the server hosting the Developer Portal making calls to arbitrary servers, also resulting in a Server Side Request Forgery (SSRF).

Additional security settings have been introduced in Community Manager to skip external entity references from an API specification for XXE prevention. Please refer to the Platform Hardening Guide, section “Skipping external entity references from API specification for XXE prevention.“

In addition, two API WSDL endpoints have been deprecated to avoid this issue:

• GET /api/dropbox/wsdls?wsdlUrl={url}

• POST /api/dropbox/wsdls

Case number: 01134229

Third party libraries updated to mitigate Critical and High vulnerabilities

Several third party libraries have been updated to mitigate critical and high vulnerabilities. See "Using the Third-Party Libraries" in the Akana documentation.

Case numbers: 01154806, 1042032