Resolved Issues

This topic summarizes issues that have been resolved for
Layer7 API Gateway
, categorized by release. Note that resolved issues are presently not grouped by form factor as they are typically form-factor agnostic. Please check the descriptions of each resolved issue for form-factor applicability, as required.

Issues Resolved in Version 10.0 CR3

The following issues are fixed in Layer7 API Gateway 10.0 CR3:
Fixed Issue ID
Enhanced the internal parsed document cache capability in Validate Against Swagger Document assertion so the assertion does not fail when using a shared policy fragment.
Introduced the following cluster properties:
  • swagger.modelCache.maxSize
  • swagger.modelCache.idleTimeout
Introduced a new cluster property, pkix.crl.skipSerialNumberCheckForRevocationCheck, which when set to
skips comparing serial numbers of identical certificates in a trusted store and avoids CRL failure.
Fixed a platform patch issue that caused download problems.
Corrected an issue to prevent the generation of unnecessary UUID when a Gateway audit log is not in JSON format resulting in a blocked thread.
Corrected an issue in Scan Using ICAP-Enabled Antivirus assertion that results in an exception when the number of bytes of all the ICAP Response Headers exceeds the default maximum value of 8192.
Introduced a new cluster property to manage this value, icap.response.maxIcapHeaderSize. Configure this cluster property value to
to set it to the maximum integer, 2147483647.
Corrected a potential security issue by allowing nonce support to be set at the Revocation Policy level for the Gateway.
Corrected an issue that caused the Query LDAP assertion to return no results.
Corrected an issue with the OCSP response signature validation.
Fixed some of the false log level warnings by changing it from "WARNING" to "FINE" or "INFO".
Corrected a Policy Plugin export issue to allow exporting Gateway configuration even when restricted keys are in use.
Fixed an issue in the Authenticate Against CA Single Sign-On assertion to notify the authenticated user when their password is about the expire. For more information, see Authenticate Against CA Single Sign-On Assertion.
Fixed an issue that caused poor performance in message routing by proxy, which led to a "Timeout connection waiting from pool" routing error when a client attempts to connect to a proxy via message routing.

Issues Resolved in Version 10.0 CR2

The following issues are fixed in Layer7 API Gateway 10.0 CR2:
Fixed Issue ID
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 9.4 Container Gateway image.
Corrected an issue that caused increased response time of Gateway if a proxy is involved during SSL handshake.
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 10.0 Container Gateway image.
Improved logging capability to assist with investigation of reported inbound steam timeouts.
Corrected an authorization header issue that caused an error log message each time data is sent to an HTTP event collector via the Route via HTTP(S) policy assertion.
Corrected an issue that caused the io.mqConversionCCSID cluster property to not apply to the reply queue, causing incorrect message responses. This issue was related to the Route via MQ Native policy assertion.
Fixed a backward compatibility issue for Gateway Version 10.0 CR1 Policy Manager, which caused users to not be able to view the Policy Manager dashboard after connecting to a Gateway running baseline version 10.0.
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 10.0 CR1 Container Gateway image.
Corrected an issue that prevented the Gateway from sending logs to STDOUT.
Corrected an issue that resulted in found CVEs from a vulnerability scan for a version 10.0 Container Gateway image.
Corrected a special character issue that arose from a function error in the Execute Javascript policy assertion
Introduced the following new cluster properties that you can configure when your Gateway queue is full so that WebSocket can accept new connection requests:
  • websocket.outbound.max.connections.per.destination
  • websocket.outbound.max.requests.queued.per.destination
  • websocket.outbound.client.connect.request.timeout

Issues Resolved in Version 10.0 CR1

The following issues are fixed in Layer7 API Gateway 10.0 CR1:
Fixed Issue ID
Corrected a problem that caused private keys to not display in Policy Manager after upgrading to Gateway Version 9.4 from 9.1.
Fixed a command execution error when exporting Gateway configuration via restricted shell in the SSG Configuration Menu.
Resolved a Kerberos configuration issue that showed the following message:
Authentication failed....Could not login 'Message stream modified (41)
See Manage Kerberos Configuration for more information.
Resolved a SAML token validating issue. Introduced the following SAML Cluster Properties:
  • samlAssertion.validate.notBeforeOffsetDuration
  • samlAssertion.validate.notOnOrAfterOffsetDuration
Resolved a thread pool issue in the Route via MQ Native assertion where the MQ threads were not timing out after a time interval. Introduced a new field,
MQ PUT Timeout
, in the Target tab of the MQ Native Routing properties dialog.
Enhanced the Name field in the Stored Password properties to accept
The 'LogMessageToSyslog' tactical assertion has been made available for Gateway Version 10 CR1.
Resolved an issue so that Gateway can log messages larger than 10KB by introducing a cluster property, audit.log.maxFormattedMessageSize.
Fixed a CRL cache updating issue. A new cluster property, pkix.crl.validateCrlBeforeCacheUpdate, is added to validate the CRL with issuer key before updating the cache.
Resolved an issue where CA SSO Agent fails to re-establish the connectivity to the SSO policy server. Introduced a new cluster property, siteminder.managementTimePeriod, to configure the time period to reinitialize the CA SSO agent.
Resolved a stack trace issue that occurs when the Policy Manager is trying to connect to an LDAP identity provider.

Issues Resolved in Version 10.0

The following issues are fixed in Layer7 API Gateway 10.0:
Fixed Issue ID
Corrected an issue where when TLS 1.2 was selected, the Gateway cannot convert an XMPP message as expected. A “Failed to create the TLS filter for a XMPP connection. missing provider” error was thrown. This issue has been resolved.
Corrected an issue where if a private key with the key type of P-256 using the hash algorithm of SHA256 is generated, it always has Signature Algorithm SHA1.
Fixed an issue with the Encode JSON Web Token assertion where the x5c headers were not generated as configured.
Corrected an issue where users were not able to set the format field under the MQRFH header in MQ message. When
are selected as additional headers, you can define the format of data that is following this header by adding the property,
, using the Manage Transport Properties/Headers Assertion.
Corrected an issue where the compatibility check for Server Key and enabled ciphers in the Listen Port Properties dialog is not consistent when the same key is selected by alias name and as the Default SSL key.
Fixed an issue that caused a 'Divide by Zero' error in the Apply Rate Limit Assertion.
Corrected an issue in GMU where the logs did not specify which entity failed. FINE level logs are added for every entity until an exception occurs and you can trace the logs backwards to resolve the issue.
Corrected an issue where Gateway was not retaining the logging format as json when using JSON Enriched logging in docker gateway.
Corrected an issue where root and ssgconfig login credentials were not working after configuring PAM LDAP and changing a user password or disabling a user in Active Directory.
Corrected an issue that caused Encode JSON Web Token assertion to fail as empty payloads are not allowed.
Corrected an issue in the Convert Audit Record to XML assertion, where LF and CR control characters were replaced with
in the output.
Corrected an issue when a Certificate is trusted and enabled for SSL Outbound, it does not check
cluster property.
The API Gateway is now compliant with the RFC2253 standard for LDAPv3 UTF-8 String Representation of Distinguished Names.
Cluster-wide property,
is changed to not require a restart to workaround an issue with JSON Schema Assertion and XSL Transformation Assertions caching invalid schema.
Introduced an argument, logMaxShutdownTime, in the Policy Manager .ini file so users can increase the logs' shutdown time in case they are not able to view all the logs.
Corrected an issue where Gateway was not processing zero byte files during PUT operation in the Route via SSH2 assertion.
Corrected an issue that caused an error while using PUT in the Route via SSH2 assertion.
Fixed an issue where the command was not retaining the permissions from the backup.
Corrected an issue with the
Scan Using ICAP-Enabled Antivirus
assertion as it was not falsifying when receiving HTTP 500 response.
Corrected an internal Gateway exception error resulting from certificate validation against an OCSP server.
Corrected an issue in Query LDAP assertion to ensure that CacheEntry is created based on both DN and LDAP Search Filter.
DE407947, DE421487
Fixed an issue to support critical headers when passed in JSON Web Token Encode and Decode assertions.
Introduced a new audit-related cluster property, syslog.dateFormat
that allows format modification of the syslog date-time format.
Fixed an issue in the Validate Against Swagger Document assertion where the swagger basePath if left empty results in
string in the baseUri variable.
Corrected a performance issue where the Gateway failed to load some settings from
Fixed an issue that caused the Policy Manager to throw an exception error when a user attempts to view logs on the Docker Container Gateway.
Corrected a Gateway issue where large files were not being completely transferred via SFTP. Also renamed ssh.routingInactiveInterval to ssh.routingInactiveTimeout.
Introduced a new Audit Archiver cluster property, auditArchiver.db.defaultDiskThreshold, that allows you to set the default disk space threshold for Mysql DB data file.
Corrected an issue where Query LDAP assertion failed if the
Maximum results
field was set to a value more than 9999.
Fixed a condition where an incorrect audit log is generated when the Throughput Quota Assertion property 'by value' is enabled and references a context variable that hasn't been set or defined
Corrected an issue to stop Policy Manager from overwriting policies when one policy is not saved immediately and another policy is accessed.
Fixed an Off-by-One error that caused the unit of time to change to 'minute' instead of the intended 'hour' in the Throughput Quota Assertion dialog in the Policy Manager.
Corrected an issue that caused the Generate OAuth Signature Base String assertion to generate an invalid signature base string for URL query parameters.
Fixed an issue that caused Policy Manager to pop an error while uploading a certificate to FIP.
Corrected an issue that caused version mismatch while updating the service in RESTMAN calls.
Corrected an issue with the removeStaleNodes schedule task that caused a database deadlock.
Corrected an issue where importing a certificate without extensions was causing NULL pointer exception.
Policy Manager enforced a maximum of 10,000 records returned for the Perform JDBC Query assertion. This limitation no longer exists. The new maximum limit for records returned is the max Java integer (2^31 - 1). Your JDBC driver may restrict this to 50 million.
Corrected an issue where Gateway was not able to verify an XML Element.
Increased the maximum password string length in JDBC Connection Properties.
Fixed a problem that prevented users from importing a private key when a Gateway is configured to use SafeNet HSM v6.2.2 for a keystore.
Corrected an issue in the Gateway Migration Utility that caused a private key to be mapped to more keys than intended.
Fixed a problem with the
Execute Salesforce Operation
Assertion that prevented customers from updating a date field in Salesforce.
Corrected an issue where the cluster-wide property validation type for the siteminder.session.generateCookieString was set incorrectly and a WARNING message was displayed when Gateway started.
Corrected an issue where if a JSON payload contained special characters (-/:;()$&@“.,?!’[]{}#%^* =_|~<>€•.,?!), then the
Evaluate JSON Path Expression V2
assertion converted the characters to unicode. This issue has been resolved. The literal characters are returned as expected. Note that this issue is not fixed for the deprecated Evaluate JSON Path Expression assertion.
Corrected an issue where the Check IP check box, when not selected, in CA SSO Configuration Properties throws an error when trying to connect to an SSO server.
Corrected an issue in the
MQ Native Queue Properties
dialog that caused some values to save unintentionally when changing the direction of the queue from Inbound to Outbound.
Re-ordered the post service hook to ensure the execution behaviour of service hook and global service policy is consistent.
The cluster property, cassandra.maxSimultaneousRequestsPerHostThreshold, was earlier used to set the maximum connections per Cassandra host. It is now used to set the maximum number of simultaneous requests per Cassandra host. The default value changed from
when hostDistance=LOCAL.
The following Casssandra connection properties are added in this CR release:
  • Pooling properties:
    • coreConnectionsPerLocalHost
    • maxConnectionsPerLocalHost
    • coreConnectionsPerRemoteHost
    • maxConnectionsPerRemoteHost
    • newConnectionThreshold
  • Load balancing properties:
    • localDataCenterName>
    • numOfUsedHostsPerRemoteDC
Fixed performance issue with Route via HTTP(S) assertion.
Corrected a minor password issue that incorrectly informed some users of exceeded failed attempts when logging into the Policy Manager.
Corrected an issue that was causing the Encode/Decode Data assertion to fail when encoding large files.
Corrected a signing issue in
(Non-SOAP) Sign XML Element assertion
with no ID attribute at document level.
Corrected a Policy Manger connection issue when using an external identity provider.
Corrected pagination issues in the query results when using Microsoft Active Directory in the Query LDAP assertion.
The LDAP Group Query in Gateway is not showing results. See Known Issues for the workaround.
Corrected an issue that caused Gateway to accept an incorrect Queue name in the
MQ Native Queue Properties
dialog, which resulted in increasing the number of connections on the configured channel until the MQ server denied new connections. Gateway now throws an error when an incorrect Queue name is provided.
Updated Gateway to display appropriate audit messages with ERROR tag instead of INFO tag.
Corrected an issue that caused the SSG log to show stack trace at Severe level when the Route via HTTP assertion is given an invalid port number.
Corrected an issue where applying a Route via MQ Native Assertion within an encapsulated assertion, the request message is not sent and a stacktrace is logged in the audit logs.
The following line is no longer required for adding to the file if your Luna machine is FIPS enabled :
Limited Listen Port names to 128 characters or less to prevent SSM from throwing an error.
Corrected an issue that prevented the saving of cloned log sinks due to invalid characters in the log sink name.
Corrected an issue that caused a FileNotFoundException to be logged with stack trace in the SSM log when a user attempts to export a key in the directory where the read-only file already exists.
An issue causing the syslog server to be unreachable which resulted in the Gateway to hang is now fixed.
Fixed an issue where an ICAP Server response header size was not configurable. A new cluster wide property, icap.maxResponseHeaderSize, is added in Gateway to configure ICAP max response header size.
An issue causing an SSH_DISCONNECT_BY_APPLICATION error for a customer when attempting to connect to the Gateway via SFTP has been fixed
Fixed an issue that caused failure in returning results when running an LDAP group query.
Fixed a CRL cache updating issue. A new cluster property, pkix.crl.validateCrlBeforeCacheUpdate, is added to validate the CRL with issuer key before updating the cache.
Resolved an issue that prevented the Gateway from enforcing a server-side cipher