New Features and Enhancements

This topic summarizes the new features and enhancements for the current release of the
Layer7 API Gateway

What's New in Gateway Version 10.1

Java 11 Support
All third-party libraries used by the API Gateway are now compatible with Java 11. The Gateway has also been optimized for Java 11.
Support for ESXi 7.0
The API Gateway now supports VMware ESXi/VSphere 7.0 for the OVA form factor. Versions 6.5 and 6.7 will continue to be supported by Broadcom Layer7 for Gateway version 10.1 on a best-effort basis. See Requirements and Compatibility for the latest platform and third-party support information.
Support for RSASSA-PSS Signature Algorithms
RSASSA-PSS is recognized by open banking institutions and PSD2 as a preeminent RSA signature scheme. The Gateway now supports the following RSASSA-PSS signature hash algorithms for the RSA key type when creating private keys, generating a Certificate Sign Request (CSR), and signing a certificate:
  • SHA-256 (RSASSA-PSS)
  • SHA-384 (RSASSA-PSS)
  • SHA-512 (RSASSA-PSS)
You may also set a new system property,, to a value of 'RSASSA-PSS' to ensure that the algorithm becomes the default for SSL key creation in the initial boot-up of the Gateway.
Support for New JSON Web Signatures
For organizations interested in RFC7518 compliance, the Gateway now supports the following JWS algorithms:
  • PS256 (RSASSA-PSS using SHA-256 and MGF1 with SHA-256)
  • PS384 (RSASSA-PSS using SHA-384 and MGF1 with SHA-384)
  • PS512 (RSASSA-PSS using SHA-512 and MGF1 with SHA-512)
Support for TLS v1.3
By default, TLS v1.3, TLS v1.2 are enabled and TLS v1.1 and TLS v1.0 are disabled.
New cluster properties in Validate Against OpenAPI Document Assertion
Introduced the following cluster properties to improve the Validate Against OpenAPI Document assertion's cache capability to support multiple openAPI documents to be maintained in the cache:
  • openapi.modelCache.maxSize
  • openapi.modelCache.idleTimeout
Increased OVA Disk Size
API Gateway 10.1 OVA disk size is increased to 70GB to accommodate the increased MySQL 8.0 RPM package size.
If you plan to reimage a Gateway 9.4 VM, see how to update an OVA Virtual Machine by re-imaging.
Support for Kerberos Authentication when Token Compression is Enabled
Kerberos authentication in API Gateway is now supported when Kerberos Token compression is enabled. In Microsoft Active Directory 2012 and later versions, the resource SID compression is enabled by default, which enables Kerberos Token compression during Kerberos authentication.
New WebSocket assertion
The Connect to Outbound WebSocket assertion allows you to establish an outbound WebSocket connection using a specified WebSocket connection entity that is selected implicitly from the policy context.
Advanced Listen Port Property
By default, HTTP/2 listen port allows each host to send 20 events per second. You can now configure an advanced property, maxEventsPerSecond=<value>, to allow more events per second. This property overrides the cluster property value, http2.transport.maxEventsPerSecondDefault.
Enhanced Security for Gateway System Settings Exports
Applies to the Gateway System Settings (SSG Config) export and import process for Gateway administrators. The bind password for LDAP authentication and shared secret for RADIUS authentication are now hidden (with a stand-in value of
) in the export payload file. This enhancement ensures that the password or shared secret does not persist in the payload file.
Prior to importing a configuration to a Gateway, administrators are advised to manually insert the bind password or shared secret into the payload file using a text editor of their choice. Alternatively, they may import the configuration payload as is and re-enter the bind password or shared secret via Gateway System Settings > Option 4: Configure Authentication Method.
Support for Java 11-Compatible HSM Clients
The Gateway now supports Java 11-compatible client software for supported nCipher and Luna SA HSMs. HSM users who plan to upgrade to Gateway 10.1 MUST install and configure Java 11-compatible client software as follows:
  • nShield Connect and Solo users must install nShield client version 12.70.4
  • Luna SA HSM users must install the Luna client version 10.2 (Gateway 10.0 CR 3 users who have already installed this client version must reconfigure the client per the revised instructions provided by Layer7).
For a detailed summary of currently supported HSMs and client software, see Requirements and Compatibility.
More Luna Partition Policy Changes for Luna HSM Users (Applies to Client version 10.2)
Additional Luna partition policy changes have been introduced for this release. You may now turn the following policies OFF:
  • Policy 2: Enable Private Key Unwrapping
  • Policy 5: Allow Secret Key Wrapping
  • Policy 6: Allow Secret Key Unwrapping
  • Policy 17: Allow Signing with Non-Local Keys
  • Policy 33: Allow RSA PKCS Mechanism
The ability to turn these policies off gives users additional flexibility in tailoring their HSM to security requirements while maintaining native Gateway functionality; however, users must be aware of some caveats resulting from turning these policies off, as described here.
Updated Custom Assertion SDK
The Gateway Custom Assertion SDK has been updated to version and is now Java 11 compatible. The SDK has also been updated to use the Gradle build tool with enhanced multi-project (custom assertion) building capabilities.
New '' Configuration File
In previous releases of the Gateway, any customizations that were required for Java security were made directly on the file. However, with the periodic release of new Java upgrades, any customizations made on this file would be overwritten by the new default values. To help users save their Java security customizations separately, a new file has been introduced, found in
. This file serves as a configuration override file - any parameters and values entered in the file shall override the equivalent parameter and values in the file.