Resolved Issues

This topic summarizes issues that have been resolved for
Layer7 API Gateway
, categorized by release. Note that resolved issues are presently not grouped by form factor as they are typically form-factor agnostic. Please check the descriptions of each resolved issue for form-factor applicability, as required.
CGW10-0
2

Issues Resolved in Version 10.0 CR4

The following issues are fixed in Layer7 API Gateway 10.0 CR4:
Fixed Issue ID
Description
DE487632
Fixed a false log level warning by downgrading it from "WARNING" to "FINE" or "INFO".
DE490809
Resolved an issue that caused the Decode JSON Web Token assertion to throw an exception error due to a missing "Use" field entry.
DE494520
Fixed an issue that caused the audit sink policy to generate an error when attempting to decrypt an audit record stored in an external database.
DE495534
Fixed an issue in the SSG logs to improve security.
DE495861
Fixed an issue in the cache entry to resolve a memory leak issue.
DE497451
Resolved an issue that caused truncated log messages in the SSG logs.
DE498217
Applies to nShield HSM users. Resolved an issue that caused an error when attempting to create a new security world after an upgrade to Gateway version 10.0 CR3 is performed.
DE500857
Corrected an issue that failed to load the connection upgrade headers while processing the WebSocket messages.
DE502548
Resolved a MySQL performance issue after upgrading to MySQL 8 for the Gateway.
DE503170
Fixed a service resolution problem where a service call to a Gateway policy may result in a different service than the one intended.
DE505246
Fixed an issue that prevented the Gateway from decompressing a payload that is compressed via gzip to process a request.
DE506108
Resolved a MySQL connector issue that prevented SSL enablement when using the Container Gateway to connect to a MySQL database.
DE506254
Resolved an issue that caused a migration failure when attempting to import policies to the Gateway using GMU.
DE507160
Corrected an issue that caused the connection upgrade request to fail if the request was too long to fit in a request buffer.
Introduced the following cluster properties to configure request buffer size and response buffer size for the WebSocket outbound client:
DE508314
Fixed an issue that caused a validation error when a JSON schema uses a 'multipleOf' numeric type. This issue was known to affect 'Validate Against OpenAPI Document' and 'Validate JSON Schema' assertions.
DE508519
See DE508314 (above).

Issues Resolved in Version 10.0 CR3

The following issues are fixed in Layer7 API Gateway 10.0 CR3:
Fixed Issue ID
Description
DE459999
Enhanced the internal parsed document cache capability in Validate Against Swagger Document assertion so the assertion does not fail when using a shared policy fragment.
Introduced the following cluster properties:
  • swagger.modelCache.maxSize
  • swagger.modelCache.idleTimeout
DE460925
Introduced a new cluster property, pkix.crl.skipSerialNumberCheckForRevocationCheck, which when set to
true
skips comparing serial numbers of identical certificates in a trusted store and avoids CRL failure.
DE492602
Fixed a platform patch issue that caused download problems.
DE481370
Corrected an issue to prevent the generation of unnecessary UUID when a Gateway audit log is not in JSON format resulting in a blocked thread.
DE482032
Corrected an issue in Scan Using ICAP-Enabled Antivirus assertion that results in an exception when the number of bytes of all the ICAP Response Headers exceeds the default maximum value of 8192.
Introduced a new cluster property to manage this value, icap.response.maxIcapHeaderSize. Configure this cluster property value to
-1
to set it to the maximum integer, 2147483647.
DE487040
Corrected a potential security issue by allowing nonce support to be set at the Revocation Policy level for the Gateway.
DE487301
Corrected an issue that caused the Query LDAP assertion to return no results.
DE487460
Corrected an issue with the OCSP response signature validation.
DE486377
Corrected a Policy Plugin export issue to allow exporting Gateway configuration even when restricted keys are in use.
DE452349
Fixed an issue in the Authenticate Against CA Single Sign-On assertion to notify the authenticated user when their password is about the expire. For more information, see Authenticate Against CA Single Sign-On Assertion.
DE493332
Fixed an issue that caused poor performance in message routing by proxy, which led to a "Timeout connection waiting from pool" routing error when a client attempts to connect to a proxy via message routing.

Issues Resolved in Version 10.0 CR2

The following issues are fixed in Layer7 API Gateway 10.0 CR2:
Fixed Issue ID
Description
DE453837
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 9.4 Container Gateway image.
DE455298
Corrected an issue that caused increased response time of Gateway if a proxy is involved during SSL handshake.
DE456742
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 10.0 Container Gateway image.
DE461126
Improved logging capability to assist with investigation of reported inbound steam timeouts.
DE465400
Corrected an authorization header issue that caused an error log message each time data is sent to an HTTP event collector via the Route via HTTP(S) policy assertion.
DE467988
Corrected an issue that caused the io.mqConversionCCSID cluster property to not apply to the reply queue, causing incorrect message responses. This issue was related to the Route via MQ Native policy assertion.
DE468587
Fixed a backward compatibility issue for Gateway Version 10.0 CR1 Policy Manager, which caused users to not be able to view the Policy Manager dashboard after connecting to a Gateway running baseline version 10.0.
DE468866
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 10.0 CR1 Container Gateway image.
DE471594
Corrected an issue that prevented the Gateway from sending logs to STDOUT.
DE471975
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 10.0 Container Gateway image.
DE473821
Corrected a special character issue that arose from a function error in the Execute Javascript policy assertion
DE456274
Introduced the following new cluster properties that you can configure when your Gateway queue is full so that WebSocket can accept new connection requests:
  • websocket.forward.ping
  • websocket.outbound.max.connections.per.destination
  • websocket.outbound.max.requests.queued.per.destination
  • websocket.outbound.client.connect.request.timeout

Issues Resolved in Version 10.0 CR1

The following issues are fixed in Layer7 API Gateway 10.0 CR1:
Fixed Issue ID
Description
DE430052
Corrected a problem that caused private keys to not display in Policy Manager after upgrading to Gateway Version 9.4 from 9.1.
DE439634
Fixed a command execution error when exporting Gateway configuration via restricted shell in the SSG Configuration Menu.
DE456425
Resolved a Kerberos configuration issue that showed the following message:
"
Authentication failed....Could not login 'Message stream modified (41)
"
See Manage Kerberos Configuration for more information.
DE452738
Resolved a SAML token validating issue. Introduced the following SAML Cluster Properties:
  • samlAssertion.validate.notBeforeOffsetDuration
  • samlAssertion.validate.notOnOrAfterOffsetDuration
DE452928
Resolved a ssg-dbstatus service issue that resulted in a 'failed status' due to upgrading to MySQL 8.
DE455206
Resolved an NTLM authentication failure issue due to a Tomcat 7 upgrade.
DE448192
Resolved a thread pool issue in the Route via MQ Native assertion where the MQ threads were not timing out after a time interval. Introduced a new field,
MQ PUT Timeout
, in the Target tab of the MQ Native Routing properties dialog.
DE454594
Enhanced the Name field in the Stored Password properties to accept
$
and
@
characters.
DE459227
The 'LogMessageToSyslog' tactical assertion has been made available for Gateway Version 10 CR1.
DE459849
Resolved an issue so that Gateway can log messages larger than 10KB by introducing a cluster property, audit.log.maxFormattedMessageSize.
DE439772
Fixed a CRL cache updating issue. A new cluster property, pkix.crl.validateCrlBeforeCacheUpdate, is added to validate the CRL with issuer key before updating the cache.
DE459135
Resolved an issue where CA SSO Agent fails to re-establish the connectivity to the SSO policy server. Introduced a new cluster property, siteminder.managementTimePeriod, to configure the time period to reinitialize the CA SSO agent.
DE461160
Resolved a stack trace issue that occurs when the Policy Manager is trying to connect to an LDAP identity provider.

Issues Resolved in Version 10.0

The following issues are fixed in Layer7 API Gateway 10.0:
Fixed Issue ID
Description
DE437165
Corrected an issue where when TLS 1.2 was selected, the Gateway cannot convert an XMPP message as expected. A “Failed to create the TLS filter for a XMPP connection. missing provider” error was thrown. This issue has been resolved.
DE434143
Corrected an issue where if a private key with the key type of P-256 using the hash algorithm of SHA256 is generated, it always has Signature Algorithm SHA1.
DE432816
Fixed an issue with the Encode JSON Web Token assertion where the x5c headers were not generated as configured.
DE432790
Corrected an issue where users were not able to set the format field under the MQRFH header in MQ message. When
MQRFH
and
MQRFH2
are selected as additional headers, you can define the format of data that is following this header by adding the property,
mqnative.MQRFH.formatField
, using the Manage Transport Properties/Headers Assertion.
DE429255
Corrected an issue where the compatibility check for Server Key and enabled ciphers in the Listen Port Properties dialog is not consistent when the same key is selected by alias name and as the Default SSL key.
DE426714
Fixed an issue that caused a 'Divide by Zero' error in the Apply Rate Limit Assertion.
DE424935
Corrected an issue in GMU where the logs did not specify which entity failed. FINE level logs are added for every entity until an exception occurs and you can trace the logs backwards to resolve the issue.
DE424050
Corrected an issue where Gateway was not retaining the logging format as json when using JSON Enriched logging in docker gateway.
DE422011
Corrected an issue where root and ssgconfig login credentials were not working after configuring PAM LDAP and changing a user password or disabling a user in Active Directory.
DE421593
Corrected an issue that caused Encode JSON Web Token assertion to fail as empty payloads are not allowed.
DE420260
Corrected an issue in the Convert Audit Record to XML assertion, where LF and CR control characters were replaced with
?
in the output.
DE416831
Corrected an issue when a Certificate is trusted and enabled for SSL Outbound, it does not check
io.httpsHostVerify
cluster property.
DE416628
The API Gateway is now compliant with the RFC2253 standard for LDAPv3 UTF-8 String Representation of Distinguished Names.
DE413586
Cluster-wide property,
json.schemaCache.maxAge
is changed to not require a restart to workaround an issue with JSON Schema Assertion and XSL Transformation Assertions caching invalid schema.
DE413539
Introduced an argument, logMaxShutdownTime, in the Policy Manager .ini file so users can increase the logs' shutdown time in case they are not able to view all the logs.
DE413329
Corrected an issue where Gateway was not processing zero byte files during PUT operation in the Route via SSH2 assertion.
DE413305
Corrected an issue that caused an error while using PUT in the Route via SSH2 assertion.
DE413276
Fixed an issue where the ssgrestore.sh command was not retaining the permissions from the backup.
DE410059
Corrected an issue with the
Scan Using ICAP-Enabled Antivirus
assertion as it was not falsifying when receiving HTTP 500 response.
DE409152
Corrected an internal Gateway exception error resulting from certificate validation against an OCSP server.
DE409346
Corrected an issue in Query LDAP assertion to ensure that CacheEntry is created based on both DN and LDAP Search Filter.
DE407947, DE421487
Fixed an issue to support critical headers when passed in JSON Web Token Encode and Decode assertions.
DE407818
Introduced a new audit-related cluster property, syslog.dateFormat
,
that allows format modification of the syslog date-time format.
DE407539
Fixed an issue in the Validate Against Swagger Document assertion where the swagger basePath if left empty results in
null
string in the baseUri variable.
DE406143  
Corrected a performance issue where the Gateway failed to load some settings from
system.properties
.
DE405599          
Fixed an issue that caused the Policy Manager to throw an exception error when a user attempts to view logs on the Docker Container Gateway.
DE404616  
Corrected a Gateway issue where large files were not being completely transferred via SFTP. Also renamed ssh.routingInactiveInterval to ssh.routingInactiveTimeout.
DE403542
Introduced a new Audit Archiver cluster property, auditArchiver.db.defaultDiskThreshold, that allows you to set the default disk space threshold for Mysql DB data file.
DE402975
Corrected an issue where Query LDAP assertion failed if the
Maximum results
field was set to a value more than 9999.
DE401446
Fixed a condition where an incorrect audit log is generated when the Throughput Quota Assertion property 'by value' is enabled and references a context variable that hasn't been set or defined
DE401386
Corrected an issue to stop Policy Manager from overwriting policies when one policy is not saved immediately and another policy is accessed.
DE401094
Fixed an Off-by-One error that caused the unit of time to change to 'minute' instead of the intended 'hour' in the Throughput Quota Assertion dialog in the Policy Manager.
DE401078  
Corrected an issue that caused the Generate OAuth Signature Base String assertion to generate an invalid signature base string for URL query parameters.
DE399857
Fixed an issue that caused Policy Manager to pop an error while uploading a certificate to FIP.
DE396224
Corrected an issue that caused version mismatch while updating the service in RESTMAN calls.
DE395766
Corrected an issue with the removeStaleNodes schedule task that caused a database deadlock.
DE394698
Corrected an issue where importing a certificate without extensions was causing NULL pointer exception.
DE394565
Policy Manager enforced a maximum of 10,000 records returned for the Perform JDBC Query assertion. This limitation no longer exists. The new maximum limit for records returned is the max Java integer (2^31 - 1). Your JDBC driver may restrict this to 50 million.
DE394505
Corrected an issue where Gateway was not able to verify an XML Element.
DE394392
Increased the maximum password string length in JDBC Connection Properties.
DE394219  
Fixed a problem that prevented users from importing a private key when a Gateway is configured to use SafeNet HSM v6.2.2 for a keystore.
DE392310
Corrected an issue in the Gateway Migration Utility that caused a private key to be mapped to more keys than intended.
DE390312
Fixed a problem with the
Execute Salesforce Operation
Assertion that prevented customers from updating a date field in Salesforce.
DE389409
Corrected an issue where the cluster-wide property validation type for the siteminder.session.generateCookieString was set incorrectly and a WARNING message was displayed when Gateway started.
DE388478
Corrected an issue where if a JSON payload contained special characters (-/:;()$&@“.,?!’[]{}#%^* =_|~<>€•.,?!), then the
Evaluate JSON Path Expression V2
assertion converted the characters to unicode. This issue has been resolved. The literal characters are returned as expected. Note that this issue is not fixed for the deprecated Evaluate JSON Path Expression assertion.
DE388060
Corrected an issue where the Check IP check box, when not selected, in CA SSO Configuration Properties throws an error when trying to connect to an SSO server.
DE387219
Corrected an issue in the
MQ Native Queue Properties
dialog that caused some values to save unintentionally when changing the direction of the queue from Inbound to Outbound.
DE386324  
Re-ordered the post service hook to ensure the execution behaviour of service hook and global service policy is consistent.
DE384925
The cluster property, cassandra.maxSimultaneousRequestsPerHostThreshold, was earlier used to set the maximum connections per Cassandra host. It is now used to set the maximum number of simultaneous requests per Cassandra host. The default value changed from
8192
to
1024
when hostDistance=LOCAL.
The following Casssandra connection properties are added in this CR release:
  • Pooling properties:
    • coreConnectionsPerLocalHost
    • maxConnectionsPerLocalHost
    • coreConnectionsPerRemoteHost
    • maxConnectionsPerRemoteHost
    • newConnectionThreshold
  • Load balancing properties:
    • localDataCenterName>
    • numOfUsedHostsPerRemoteDC
DE384246
Fixed performance issue with Route via HTTP(S) assertion.
DE383343
Corrected a minor password issue that incorrectly informed some users of exceeded failed attempts when logging into the Policy Manager.
DE380123
Corrected an issue that was causing the Encode/Decode Data assertion to fail when encoding large files.
DE379506
Corrected a signing issue in
(Non-SOAP) Sign XML Element assertion
with no ID attribute at document level.
DE379142
Corrected a Policy Manger connection issue when using an external identity provider.
DE378224
Corrected pagination issues in the query results when using Microsoft Active Directory in the Query LDAP assertion.
Note:
The LDAP Group Query in Gateway is not showing results. See Known Issues for the workaround.
DE377433
Corrected an issue that caused Gateway to accept an incorrect Queue name in the
MQ Native Queue Properties
dialog, which resulted in increasing the number of connections on the configured channel until the MQ server denied new connections. Gateway now throws an error when an incorrect Queue name is provided.
DE376544
Updated Gateway to display appropriate audit messages with ERROR tag instead of INFO tag.
DE368338
Corrected an issue that caused the SSG log to show stack trace at Severe level when the Route via HTTP assertion is given an invalid port number.
DE346288
Corrected an issue where applying a Route via MQ Native Assertion within an encapsulated assertion, the request message is not sent and a stacktrace is logged in the audit logs.
DE243553
The following line is no longer required for adding to the java.security file if your Luna machine is FIPS enabled :
security.provider.10=com.safenetinc.luna.provider.LunaProvider
DE219165
Limited Listen Port names to 128 characters or less to prevent SSM from throwing an error.
DE218895
Corrected an issue that prevented the saving of cloned log sinks due to invalid characters in the log sink name.
DE212986
Corrected an issue that caused a FileNotFoundException to be logged with stack trace in the SSM log when a user attempts to export a key in the directory where the read-only file already exists.
DE212225
An issue causing the syslog server to be unreachable which resulted in the Gateway to hang is now fixed.
DE211146
Fixed an issue where an ICAP Server response header size was not configurable. A new cluster wide property, icap.maxResponseHeaderSize, is added in Gateway to configure ICAP max response header size.
DE410134
An issue causing an SSH_DISCONNECT_BY_APPLICATION error for a customer when attempting to connect to the Gateway via SFTP has been fixed
DE413457
Fixed an issue that caused failure in returning results when running an LDAP group query.
DE439772
Fixed a CRL cache updating issue. A new cluster property, pkix.crl.validateCrlBeforeCacheUpdate, is added to validate the CRL with issuer key before updating the cache.
DE442226
Resolved an issue that prevented the Gateway from enforcing a server-side cipher.
DE368072
Resolved an issue that caused account lockouts when running the Gateway in Azure cloud.