New Features and Enhancements
This topic summarizes the new features and enhancements for the current release of the
Layer7 API Gateway.
What's New in Gateway Version 10.1
Java 11 Support
All third-party libraries used by the API Gateway are now compatible with Java 11. The Gateway has also been optimized for Java 11.
Support for ESXi 7.0
The API Gateway now supports VMware ESXi/VSphere 7.0 for the OVA form factor. Versions 6.5 and 6.7 will continue to be supported by Broadcom Layer7 for Gateway version 10.1 on a best-effort basis. See Requirements and Compatibility for the latest platform and third-party support information.
Support for RSASSA-PSS Signature Algorithms
RSASSA-PSS is recognized by open banking institutions and PSD2 as a preeminent RSA signature scheme. The Gateway now supports the following RSASSA-PSS signature hash algorithms for the RSA key type when creating private keys, generating a Certificate Sign Request (CSR), and signing a certificate:
You may also set a new system property, com.l7tech.security.keystore.defaultKey.signatureAlgorithm, to a value of 'RSASSA-PSS' to ensure that the algorithm becomes the default for SSL key creation in the initial boot-up of the Gateway.
Support for New JSON Web Signatures
For organizations interested in RFC7518 compliance, the Gateway now supports the following JWS algorithms:
Support for TLS v1.3
By default, TLS v1.3, TLS v1.2 are enabled and TLS v1.1 and TLS v1.0 are disabled.
New cluster properties in Validate Against OpenAPI Document Assertion
Introduced the following cluster properties to improve the Validate Against OpenAPI Document assertion's cache capability to support multiple openAPI documents to be maintained in the cache:
Increased OVA Disk Size
API Gateway 10.1 OVA disk size is increased to 70GB to accommodate the increased MySQL 8.0 RPM package size.
If you plan to reimage a Gateway 9.4 VM, see how to update an OVA Virtual Machine by re-imaging.
Support for Kerberos Authentication when Token Compression is Enabled
Kerberos authentication in API Gateway is now supported when Kerberos Token compression is enabled. In Microsoft Active Directory 2012 and later versions, the resource SID compression is enabled by default, which enables Kerberos Token compression during Kerberos authentication.
New WebSocket assertion
The Connect to Outbound WebSocket assertion allows you to establish an outbound WebSocket connection using a specified WebSocket connection entity that is selected implicitly from the policy context.
maxEventsPerSecondAdvanced Listen Port Property
Enhanced Security for Gateway System Settings Exports
Applies to the Gateway System Settings (SSG Config) export and import process for Gateway administrators. The bind password for LDAP authentication and shared secret for RADIUS authentication are now hidden (with a stand-in value of
* REPLACE HERE *) in the export payload file. This enhancement ensures that the password or shared secret does not persist in the payload file.
Prior to importing a configuration to a Gateway, administrators are advised to manually insert the bind password or shared secret into the payload file using a text editor of their choice. Alternatively, they may import the configuration payload as is and re-enter the bind password or shared secret via Gateway System Settings > Option 4: Configure Authentication Method.
Support for Java 11-Compatible HSM Clients
The Gateway now supports Java 11-compatible client software for supported nCipher and Luna SA HSMs. HSM users who plan to upgrade to Gateway 10.1 MUST install and configure Java 11-compatible client software as follows:
For a detailed summary of currently supported HSMs and client software, see Requirements and Compatibility.
More Luna Partition Policy Changes for Luna HSM Users (Applies to Client version 10.2)
The ability to turn these policies off gives users additional flexibility in tailoring their HSM to security requirements while maintaining native Gateway functionality; however, users must be aware of some caveats resulting from turning these policies off, as described here.
Additional Luna partition policy changes have been introduced for this release. You may now turn the following policies OFF:
Updated Custom Assertion SDK
The Gateway Custom Assertion SDK has been updated to version 10.1.00.11539 and is now Java 11 compatible. The SDK has also been updated to use the Gradle build tool with enhanced multi-project (custom assertion) building capabilities.
New 'ssg.security' Configuration File
In previous releases of the Gateway, any customizations that were required for Java security were made directly on the java.security file. However, with the periodic release of new Java upgrades, any customizations made on this file would be overwritten by the new java.security default values. To help users save their Java security customizations separately, a new ssg.security file has been introduced, found in
opt/SecureSpan/Gateway/runtime/etc/ssg.security. This file serves as a configuration override file - any parameters and values entered in the ssg.security file shall override the equivalent parameter and values in the java.security file.