2024.1 Minor Releases
Minor Releases:
2024.1.5
July 28, 2025
AI-powered search for product information
On the main page of the Akana documentation site, you can now enter a question to get an AI-generated answer. Optionally, you can filter your search by product. Answers combine content from the current version of the product documentation and the Perforce knowledge base. This new search experience helps you locate information more efficiently.
Key features: 2024.1.5
OpenBanking v4 Support
Akana now supports OpenBanking v4 message formats for success as well as error messages, enabling enhanced compatibility with the latest UK Open Banking specifications.
As part of the enhancement, the following policies have been enhanced to return response error codes in ISO 20022 - 4-character format.
-
JOSE Security V2 Policy
-
HTTP Message Validation Policy
To utilize this feature, create a new policy by selecting the Open Banking v4 standard and attaching it to the relevant APIs.
Please refer to the updated policy documentation, Configuring JOSE Security Policy V2 options, Open Banking error messages for the JOSE Security Policy v2, Configuring the HTTP Message Validation Policy, and Using the HTTP Message Validation Policy for policy configuration and error code details.
Case Number: 01389640
Enhancements: 2024.1.5
RSA1_5 encryption algorithm enabled for JOSE Security Policy v2
The use of the RSA1_5 encryption algorithm, previously disabled in an earlier release, has been temporarily re-enabled in the JOSE Security Policy v2 to support legacy use cases.
Case Number: 01371180
The client_id claim is mandatory in Authorization request in JAR format
While using Akana OAuth provider, the client_id claim is mandatory for the authorization request in JAR format. The claim name must be client_id and value should match with the client_id request parameter. Any other claim name such as client-id will result in error.
Case Number: 01388672
Bug Fixes: 2024.1.5
Apache HTTP connection pool got exhausted while revising the app contract
During the process of revising contracts between the API using Pingfederate OAuth provider and apps, and synchronizing the applications with PingFederate, the Apache HTTP connection pool could get exhausted, resulting in the following error: org.apache.http.conn.ConnectionPoolTimeoutException: Timeout waiting for connection from pool.
Case Number: 01424488
An incomplete path displayed for iat, iss, tan Open Banking 3.1 request private headers in error response for JOSE Security Policy v2 (Unencoded Payload Support)
Incomplete paths like iat, iss, tan are displayed instead of <base-path>/iat, <base-path>/iss, <base-path>/tan, where <base-path> can be http://payments-services.co.uk or http://openbanking.org.uk, for iat, iss, tan Open Banking 3.1 request private headers in the error response for JOSE Security Policy v2 (Unencoded Payload Support).
Case Number: 01421931
Content-Type is converted from Lowercase to Uppercase for utf-8
When the property com.soa.http.client.core > transport.factory.multiValuedHeaders is empty and the authorization header in the incoming request is in lowercase for Atmosphere and OAuth 2.0 (strip) policy, Akana sends a null value in the Authorization header instead of removing the header from the downstream request.
Case Number: 01201862
Unable to delete an API that is contracted to the APP
Deletion of API that is contracted to the APP would result in a General System error when OAuth is configured for the API.
Case Number: 01385486
An incorrect error message on session timeout when "Active Session Timeout" was configured
When the “Active Session Timeout” setting in the Community Manager is configured, the “Expired Token” error message would be intermittently displayed upon session timeout instead of the expected message: “Your session has timed out. Please log in again.”.
Case Number: 01389244
Long garbage collection events observed on EKS deployment
High memory consumption could occur during the Gateway and the Policy Manager communication failures causing long garbage collection events. One of the scenarios for this is, deployment of Policy Manager pods when gateway pods are up and running. Improvements were done to reduce the memory consumption under such scenarios.
New configuration properties pm.client.disablePMResponseSignatureVerificationFailureAutoRecovery and pm.client.disableRandomSymmetricKeyDecryptionFailureAutoRecovery are introduced under com.soa.client.subsystems to control the Gateway auto-recovery during the Gateway to Policy Manager communication failures.
Please refer Subsystem clients configuration for more details of the configurations.
Case Number: 01314468
Logging improvements to address the performance issue
Optimized logging to enhance memory allocation and reduce I/O impact during API request processing.
Case Number: 01401916
Error in validating large JSON payload
The HTTP message validation policy would fail when handling large JSON payloads. Now the policy can successfully validate JSON payloads of up to 20 MB size.
Case Number: 01393088
Issue with removing users from the Business Admin Group
When a user is a Business Admin across multiple tenants, attempting to remove that user from the Business Admin group in one tenant would result in an error.
Case Number: 01352678
Intermittent Concurrent Exception resulting in errors
In an EKS environment, a ConcurrentModificationException would occur whenever a new pod was initialized, resulting in HTTP 500 errors returned by the Gateway during incoming request processing.
Case Number: 01397287
GRID caching not functioning as expected
With the Gateway in cluster and grid caching is enabled, throughput quota policy would not process requests according to the configured throughput limits.
Case Number:01396264
An incorrect HTTP status code returned when multiple OAuth providers were configured
When multiple OAuth providers were configured for an API, the application returned a 401 Unauthorized response instead of the expected 403 Forbidden.
This issue occurred specifically when an access token was issued by the second or any subsequent OAuth provider with invalid scopes.
Case Number:01350864
An API with a JSON payload exceeding 5 MB, would fail to audit the payload data
API with a JSON payload exceeding 5 MB, when accompanied by a detailed auditing policy, will fail to audit the payload data.
To address this issue, the size limit has been extended to support JSON payloads of up to 20 MB.
Case Number:01329563
Known issues: 2024.1.5
CM login may be temporarily disabled after changing PM Domain PKI keys and certificate
Updating Policy Manager domain PKI keys or certificate from Configure → Security → Details → Manage PKI Keys page will prevent Community Manager login for 5 minutes.
Case Number: No associated case
2024.1.4
March 21, 2025
Enhancements: 2024.1.4
MongoDB 7 Support
Akana now supports MongoDB 7, allowing you to leverage the latest database features and optimizations.
For detailed instructions, see System Requirements for Akana Platform 2024.1.x.
Case Number: 01340775
Security Enhancements
Additional safeguards are supported to mitigate potential session fixation risks in various authentication flows for the Policy Manager console.
New configuration settings for session.manager.factory have been added under the Policy Manager Admin Console category com.soa.platform.jetty.
For details on configuring these settings for additional security, see Mitigate the session fixation attack.
Case Number: No associated case
MySQL 8.0.40 on Amazon RDS Support
Akana now supports MySQL 8.0.40 on Amazon RDS for improved database compatibility within the platform.
Case Number: No associated case
Bug Fixes: 2024.1.4
Grid not binding with specific interface
The grid service is available on all interfaces even though only certain IP addresses are specified in the grid configuration.
After the fix, the grid service will only appear on the specific IP addresses mentioned in the grid configuration.
To configure the property on the ND containers, see Grid Configuration (com.soa.grid).
Case number: 01343135
An SSL handshake to the downstream could fail due to a certificate issue
SSL handshake to the downstream API could fail when a new certificate for the downstream API is added to the Policy Manager trust store.
After the fix, the certificate added or removed from the trust store will be synchronized with Network Director periodically based on the configuration in the admin console trusted.ca.cert.keystore.spi.expireIntervalMillis property. Thus, the SSL handshake to the downstream will not fail. The default value of trusted.ca.cert.keystore.spi.expireIntervalMillis property will be 60000 milliseconds, which is 1 minute.
To configure the property on the ND containers, see com.soa.mp.core.client (com.soa.mp.core.client).
Case Number: 01349049
Security Vulnerabilities: 2024.1.4
Third party libraries updated to mitigate vulnerabilities
JQuery and Bootstrap libraries used in the Community Manager out of the box landing page and customization samples have been updated.
To update the default landing page in existing tenant under Admin > File Manager> Content, perform the steps provided in Update JavaScript references for a default landing page in the Community Manager developer portal.
Case number: No associated case
2024.1.3
February 14, 2025
Enhancements: 2024.1.3
OpenAPI Specification (OAS) 3.1 Support enhancements
Key enhancements introduced for the APIs created using OpenAPI Specification (OAS) 3.1:
-
Downloading the OAS 3.1 specification file from the API page.
-
Support to display the discriminator details on API documentation and details page.
-
The Switch to Swagger 2 button is unavailable for such APIs as OAS 3.1 documentation is incompatible with the Swagger 2 format.
Case Number: No related case
Bug Fixes: 2024.1.3
API exchange pattern changes while updating the API
API exchange pattern for an operation could be set to IN-ONLY, if the response body for HTTP status code 200 is not set for the operation. This issue would also occur when an API created using Swagger 2 format was edited in OAS 3.x format or vice versa.
Akana now restricts API editing in the original or creation version, so the exchange pattern does not change while editing the API.
To ensure the correct exchange pattern is set for the operation, see Exchange pattern behavior based on response body.
Case Number: 00615211, 00615212
Aggregate OR Policy not using Basic Authentication when the OAuth Token expired
The aggregate policy with OR configuration of Basic Authentication and OAuth security policy would not honor the HTTP basic token when the OAuth bearer token was expired.
After the fix, the API can be invoked using a basic and/or bearer token.
Case numbers: 01337418
Error in promoting an API after updating the topology
API promotion would fail after updating and skipping one of the promotion profiles. In addition, the system would display an incorrect version in the promotion widget for an API or App when attempting to promote from one environment to another.
Case numbers: 01175000
Request Content-Type changed to application/XML while invoking target API
The Content-Type of the request to the target API could change to application/XML when the API was created using the OAS specification, which has the requestBody defined as a reference to components/requestBodies.
References to requestBodies when creating new APIs or updating existing APIs are now supported.
To take advantage of this fix, existing APIs must be updated using the Community Manager UI or APIs.
Case numbers: 01051568, 01245765
2024.1.2
December 16, 2024
Enhancements: 2024.1.2
OAuth Client Policy enhancements
Akana introduces several enhancements to the OAuth Client Policy.
-
Support for private key JWT authentication
To enable more robust client authentication through asymmetric cryptography, the OAuth Client Policy now supports the private key JWT authentication technique.
-
Additional parameters support
The OAuth Client Policy now supports sending additional parameters in OAuth token requests, as per the authorization server requirement. You can add additional parameters to the token request header, form post, and private key JWT claim headers and claims.
-
OAuth Client Policy caching
The OAuth Client Policy now allows you to specify how long the access_token will be used from the cache before requesting a new one.
If no non-zero value is specified in the policy, the OAuth Client Policy will calculate the access_token cache expiry based on the expires_in value returned in response to a token request. The updated settings will replace the admin console cache configuration in com.akana.policy.oauth.client section.
-
OAuth Client Policy error handling and alerts
In case if any error occurs in getting the token from the authorization server, then HTTP status code 500 will be returned to client and following error message.
{ "faultcode": "Server", "faultstring": "An internal server error occurred." }Admin can check the error details in the alerts with codes 90701, 90702, 90709.
In addition to the above enhancements, POST will now be the only supported method for token requests, and the GET method is disabled for security reasons.
To view the detailed instructions on updating your OAuth Client Policy configuration, see the OAuth Client Policy configuration documentation.
Case number: 01160325, 01114097, 00633295, 00798415
Certification of Windows Server 2022
Akana now supports deployment on Windows Server 2022. The certification of Windows Server 2022 ensured compatibility, reliability, and optimal performance across the Akana Platform and API Platform and its features and plugins including Microsoft SQL Server, and has successfully met standards.
Case Number: No related case
JOSE policy V2 change
iss and tan validation
JOSE Security Policy v2 (Unencoded Payload Support) rules for validating iss and tan private headers in incoming JOSE request signature have been modified to cater to different Open Banking Trust Anchor deployment scenarios.
Case number: 01209581
iat header generation
JOSE Security Policy v2 (Unencoded Payload Support) rules for generating iat private headers for outgoing JSON signature have been modified to cater to different Open Banking Trust Anchor deployment scenarios.
Case number: 01232900
Support Dynamic client registration endpoint
A new field, Client Registration Endpoint, is added to the Branding tab of the Akana OAuth/OIDC Provider to capture the URL for the externally hosted and implemented Dynamic Client Registration Endpoint. This value sets the registration_endpoint in the OIDC Discovery Document (/.well-known/openid-configuration).
For details, see How to set up dynamic client registration with the Akana OAuth/OIDC Provider.
Case Number: 01208408
Character limit increase for container name and container key fields
When creating a container, the character limit for the container name and the container key fields is increased from 32 to 64 characters.
Case number: 00982197
Character limit increase for WebsiteAddress field
When creating or modifying an App, the WebsiteAddress field character limit is increased from 80 to 2048 characters. The WebsiteAddress field on an App OAuth Profile now also accepts 2048 characters, up from 64 characters in the UI.
Case number: 01245982
IAM DB connections on cross-account or cross-cluster failure
IAM DB connections on cross-account setup or cross-cluster did not work properly. Now, after introducing a new AWS provider STSAssumeRoleSessionCredentialsProvider, they work successfully.
For details, see Configuring IAM on Policy Manager and Community Manager containers in the Akana documentation.
Case number: 01208807
Bug Fixes: 2024.1.2
App metrics API returned zero value for totalRequestSize and totalResponseSize
Calling metrics API for an App returned zero value for the totalRequestSize and totalResponseSize fields when MongoDB is used to store audit logs.
After this fix, the API returns correct values.
Case Number: 01225443
PM Restart required complete UAT platform restart
When multiple Network Director containers were connected to the Policy Manager container(s) and the Policy Manager container(s) were restarted, the Policy Manager would go into an unresponsive state resulting in the Network Director container going to an unresponsive state. All the containers in Akana deployment required restart to make the environment work correctly.
Now, the Policy Manager container restart does not require a complete Akana deployment restart.
Case number: 00926166, 00836048
2024.1.1
October 9, 2024
Enhancements: 2024.1.1
FAPI 1.0 Advanced Profile Support
Akana OAuth provider now supports FAPI 1.0 Advanced Profile (FAPI), designed to meet the highest security and privacy requirements for financial-grade APIs.
Key Features:
-
The Akana OAuth provider domain can be configured to comply with the FAPI profile by enabling the FAPI profile flag in the domain settings. Once enabled, the OAuth authorization and token endpoints will enforce stricter security requirements in line with the FAPI profile.
-
The External OAuth provider domain such as PingFederate will also support FAPI profile compliance.
-
The Akana OAuth policy will enforce additional validations on incoming access tokens in the API requests when the FAPI profile is enabled for corresponding Akana or External OAuth domains.
Review FAPI Support in the documentation to start using the FAPI feature support in Akana.
Case numbers: 01041266, 00620513
PingFederate 12 support
Akana now supports PingFederate 12 integration. PingFederate 12 can be integrated with the Akana platform as an External OAuth Provider, OIDC relying party domain, or a SAML SSO Login domain.
Case number:No related case
New configuration option in Admin Console for Jetty to manage its configuration
The Admin Console now has an option that allows the jetty transport to manage its configuration. This may provide improved container performance.
Set the value for following jetty configurations under com.soa.platform.jetty to -1, so that Jetty will calculate the values based on machine configurations.
-
http.incoming.transport.config.acceptThreads
-
http.incoming.transport.config.requestQueueSize
After upgrading, manually change the values for these properties to -1 to use this configuration.
See Configuration properties for the Jetty transport in the Akana documentation for more detail.
The Revoke Token API now supports revocation of refresh token along with access token
The Revoke Token API (PUT oauth/admin/token/revoke) has added support for an authorized user to refresh a token as well as revoke one. See PUT oauth/admin/token/revoke in the Akana documentation.
Case number: No related case
The Akana OAuth provider domain now supports a configurable value for the audience field
When requesting an OAuth token from the Akana OAuth provider, the audience ("aud") value always defaulted to the Authorization Server URL configuration for the Akana OAuth Provider domain. Now the audience value is configurable and will be included in the aud claim in the access token. A single audience value is allowed.
Case number: No related case
New fields for JCA providers in OAuth provider domain to support HSM
New fields have been added to both the Akana OAuth/OIDC provider and External OAuth provider to capture the JCA providers required by hardware security module (HSM):
Akana OAuth provider:
-
Verify JCA Provider textbox (Token tab > JWT Bearer Access Token > Signing JCA Provider)
-
Decrypt JCA Provider textbox (Token tab > JWT Bearer Access Token > Encrypt JWT Access Token > Encrypt JCA Provider)
External OAuth provider:
-
Verify JCA Provider textbox (Access Token Validation tab > JWT Bearer Access Token > Signing Key)
-
Decrypt JCA Provider textbox (Access Token Validation tab > JWT Bearer Access Token > Supports Encryption)
Case number: No related case
Logging messages enhanced for easier troubleshooting
Akana has enhanced its alert descriptions to better identify connectivity issues for inbound and outbound requests. These include:
-
SSL Handshake related errors
-
Peer certificate validation errors during the SSL handshake
Enhanced alerts will help in troubleshooting OAuth providers and API gateway traffic. See "Logging of TLS errors and the corresponding alert code" in the Akana documentation.
Case numbers: 01162921, 01180895
Akana OAuth Provider implicit flow validation added on public client type
When implicit flow is enabled in the Akana OAuth provider, additional validation has been introduced on the public client type. (The implicit flow is supported only for a public client type, not for a confidential client type).
Case number: No related case
Bug Fixes: 2024.1.1
Case-insensitive OAuth token could be generated in some cases
Generating an Akana OAuth provider token did not properly consider case when validating the client_id. Now, the Akana OAuth provider generates a token only if the client_id is an exact match.
Case number: 01139380
Token expiration errors could be inconsistent for multiple OAuth domains on a single API
When a single API was connected to multiple OAuth domains, error messages for expired tokens could be inconsistent. Now, an expired token in this case results in the correct error message ("1012117 - Invalid Token. The token has expired."), regardless of the OAuth provider.
Case number: 01186837
Revoke Token API worked incorrectly with Mongo DB
The Revoke Token API (PUT oauth/admin/token/revoke) did not work properly with Mongo DB. Now, API calls for which a token has been revoked will fail for both Mongo DB and RDBMS.
Case number: 01142496
After upgrading, could not log into the Developer Portal using an OIDC domain
After upgrading, logging into the Developer Portal using an OpenID Connect Relying Party (OIDC) domain could return an error.
Case number: No related case
Incorrect alert notifications in some situations
An incorrect alert code 9031 and alert message (Cannot establish connection to [{0}] because it cannot be trusted) could be produced for a target API SSL connection error.
A new alert code 9033 and alert message (Connection to [{0}] cannot be established due to a SSL Exception, which may indicate either an SSL handshake error or IO error) has been added to handle this case.
Case number: 01130776
Audit log for the HTTP Caching Policy does not include all data
When using the HTTP Caching Policy, the contract information was not displayed in the audit log.
Case number: 00620140