Resolved Issues

2
gateway93
 
 
2
 
 
Issues Resolved in Version 9.3
Fixed Issue ID
Description
DE210752
Outbound client mutual authentication keep-alive is now enabled by default.
Previously, enabling this required a manual change to the Gateway system property 
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable 
to 'true'; otherwise, a new connection would be created for each pass.
DE211306
Corrected an issue with RBAC role not allowing CA SSO to be registered.Userwas unable to register an SSO configuration if the permission had been granted with a scope rather than <ALL>. This has since been fixed.
DE211590
Corrected an issue where Internet Explorer was unable to handle multiple headers resulting from Ajax calls to the Gateway. This was resolved by adding a new cluster-wide property. See Process CORS Request Assertion for more information.
DE212186
Corrected an issue which prevented importing certificate when there were international characters in the "issued to" field.
DE212556
Corrected an issue where the software database keystore might become corrupted when large expiry days was entered. The Policy Manager now reminds you that "Days until expiry must not push beyond year 9999".
DE213001
Corrected an issue where the logged CN from the Require SSL or TLS Transport Assertion is from the client certificate's issuer CA, and not from actual CN of the Client Certificate.
DE221320
Corrected a couple of NullPointerException issues with the AdminSessionManager. 
DE221709
Corrected an issue with RBAC for Manage Identity Providers role. A user with this role now has permissions and visibility into Identity Provider properties.
DE226997
Corrected an issue where not allxpathquery results were capitalized when using the upper-case function.
DE231979
Corrected an issue where the extraction of SAML attributes terminated Gateway service when an attribute was empty.
DE242553
Corrected an issue where the Query LDAP Assertion returned NULL.
DE247881
The Gateway is now able to process special characters (specifically £) in stored passwords.
DE254507
Corrected an issue with Accumulate Data in Memory Assertion. Previously, attempts to use the assertion to optimize shipment of audit logs off-box were not successful due to log records being corrupted. This issue has been fixed.
DE256045
If a JSON object contains a forward slash in the JSON object input, then the Gateway appends a backslash to 'escape' the forward slash in the cluster property to 'true'.
DE256549
Corrected an issue where the Create Routing Strategy Assertion would not function within a Scheduled Task.
DE263288
Corrected an issue where Validate JSON Schema Assertion did not give results according to the JSON Schema specifications.
DE263359
Corrected an issue where the user was able to access WebSocket Connection after installing the CA API Gateway Enterprise license, but was unable to create a connection.
DE267998
Corrected a caching issue with the Perform JDBC Query Assertion. The maximum age for a JDBC connection has been increased from 500 ms to 5000 ms.
DE269613
Corrected an issue with the 
GatewayMigrationUtility.bat
 failing when running on a Windows server. This occurred when there were spaces in the directory path, and has since been fixed.
DE269676
Corrected the log output order when using Include Policy Fragment Assertion. Previously, policy logs from an include policy would be displayed in a reverse order. This has since been fixed.
DE269830
Corrected an issue where Enterprise Service Manager fails to migrate cluster properties greater than 8192 characters in length. The result was that the migrated property was either empty or was corrupted.
DE273507
Corrected an issue where the Validate Against Swagger Document Assertion failed to validate the HEAD method.
DE278819
Corrected false positive results from the Evaluate JSON Path Expression V2 Assertion.
DE279171
Corrected an issue where an error dialog appeared in the Customize Error Response Assertion when highlighting all text (select all) in the "Response Body" using a multi-byte keyboard.
DE287710
Corrected an issue where new inputs to existing encapsulated assertions were not propagated correctly. Previously, the new inputs were only propagated by opening and saving each instance of the encapsulated assertion in each service policy.
DE294968
Corrected an issue where the invalid characters appear in the response to a service which does not have charset (UTF-8) in its content type header.
DE295920
Corrected an issue which prevented you from accessing WebSocket Connection to view all connections after installing the CA API Gateway Enterprise license.
DE295988
Corrected an issue where the Decode JSON Web Token Assertion was failing inconsistently with Gateway's standard policy execution logic.
DE296015
Corrected an issue where policy migration failed due spaces in the certificate common name.
DE297378
Corrected an issue with the Route via SSH2 Assertion, where enabling "Validate Servers host key" in the assertion causes a "9434: SSH routing error".
DE301894
Corrected an issue where JWT policy migration with "Sign Payload" option enabled failed when using the Enterprise Server Manager (ESM).
DE303090
Corrected a connection issue between the Gateway and OCSP (Online Certificate Status Protocol) servers, where the connection was stuck in a CLOSE_WAIT loop.
DE303707
Corrected an issue with Kerberos Smart Card login error after updating from Gateway v8.3 to v9.2. Kerberos login now works as expected.
DE308152
There was an issue with updating cluster-wide property via RESTman when the character length exceeded 131,072. This issue has been fixed and maximum length has been increased to 4,194,304 characters.
DE308605
Corrected an issue where entering a shorthand version of a time unit (for example, "5m" for five minutes) for the value of inbound and outbound WebSocket Cluster Properties would render the Gateway unable to start.
DE314461
Corrected a GMU (Gateway Migration Utility) issue that caused an error when using the templatized command for dependencies (IDT1).
DE315889
DE316003
Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
DE317213
Corrected an issue where an incorrect error message was returned when validating using JSON Schema.
DE317751
Corrected the Route via JMS Assertion to allow JMS properties that begin with "JMSX" and "JMS_" to pass through when you use the "Customize JMS message properties to forward" option. If you have incorporated custom branching logic to handle these properties, you may remove this logic.
DE319350
Corrected Policy Manager stability issues.
US212805
Process Controller now supports TLS v1.1 and TLS v1.2 as per the latest PCI compliance. 
Using TLS v1.0 is no longer recommended from a security standpoint. To learn how to disable TLS v.1.0, refer to this Knowledge Base article: "TEC1620697 - How to disable TLS 1.0 usage in CA API Gateway and ESM" on the CA Support site.
US272812
Corrected an issue where Gateway returned the wrong response code for the CWD command when it worked as an FTP proxy.
US332200
Corrected the Service and Policy tree in the Policy Manager to no longer collapse the root folder when a fragment is converted to an encapsulated assertion.
DE268063
Corrected an issue where application events triggered unnecessary transaction handling causing application performance issues.
DE274920
Corrected an issue with GMU (Gateway Migration Utility), where routing assertions in the migrated policy continued to search for the key on the source environment.
DE306979
Corrected an issue where the syslog sink failed to reconnect to the log server automatically when the IP of log server changes.
DE272157
Changed the Evaluate JSON Path Expression Assertion to log an INFO level audit rather than a WARNING audit when the JSON path is not found.
Issues Resolved in Version 9.3 CR1
The 9.3 CR1 cumulative release includes the contents of CR and addresses these issues. 
Note:
 The 9.3 CR1 release must be installed on a v9.3 Gateway.
Fixed Issue ID
Description
US441551
Updated the JDK version to JDK 1.8.0 Update 162.
Java 8 Update 161 now restricts Diffie-Hellman keys that are less than 1024 bits.
If your 
CA API Gateway
 connects to any server that uses Diffie-Hellman (DH) for key exchange (as part of the SSL handshake), ensure that the server is configured to support DH key size that is 
greater than or equal to 1024 bits
. If the server is configured for DH key size 
less than 1024 bits
, the SSL handshake fails when the Gateway attempts to connect. To diagnose this issue:
  • Enable network trace logging on the Gateway (
    -Dorg.eclipse.jetty.LEVEL=DEBUG -Djavax.net.debug=ssl
    )
  • In the Gateway logs, look for a SSLHandShake exception: "javax.net.ssl.SSLHandshakeException:"
For additional information, see the "Restrict Diffie-Hellman keys less than 1024 bits" section of the JDK 8 Update Release Notes.
DE271778
Corrected an error that caused a bundle import to fail if entities referenced in the bundle do not already exist in the target Gateway.
DE288220
Corrected an issue that caused the Gateway to fail to start up when unsupported certificates are imported.
DE303135
Changing a WebSocket connection now correctly updates all Gateway nodes, not just the node to which the Policy Manager is connected.
DE306924
Corrected performance issues caused by internal libraries that were accessing the file system too frequently.
DE306944
Corrected an issue that was causing the XMPP assertions to report a failure.
DE308073
Corrected an intermittent JMS failure after migrating to the latest release.
DE322333
Corrected intermittent errors that occurred in the Retrieve Kerberos Authentication Credentials Assertion.
DE329111
Corrected an issue where HTTP redirects in the Policy Manager do not function correctly and instead returns an error.
DE331350
Corrected an issue where idle or closed connections were not being cleaned up after use.
DE333386
Corrected an issue that caused the Gateway to incorrectly report JSON structure validation errors.
DE335768
Corrected an issue where authentication was rejected by SiteMinder Server when a non-default SSO zone name is specified along with 
Regenerate SSO Token 
option.
DE337678 
Corrected an issue with the Gateway Dashboard that prevented audit information from being displayed for a single service. Previously, right-clicking the chart to select "Show Audit Events" when a specific service was selected resulted in no audit information. Audits were displayed only when "<All Services>"  was selected.
DE337682 
Corrected an issue where the Decode JSON Web Token Assertion on failure was leading to the failure of the entire policy.
DE337688
Corrected a GMU migration issue where the 
IPCheck 
option on destination gateway is enabled automatically.
US419565 
Enhanced functionality to ensure that Agent Configuration Objects' details are accessible to the Gateway policy. A new field 
Agent Configuration Object
 has been added to the 
CA Single Sign-On Check Protected Resource Properties
. This field accepts agent configuration object name and fetches the details from CA SSO policy server to make it available at Gateway's policy level. These details can be used by Gateway policy author to construct a proper cookie.
DE330447
US431889
US432509
Applied various security updates to third party libraries.
Issues Resolved in Version 9.3 CR2
The 9.3 CR2 cumulative release includes the contents of CR and addresses these issues. 
Note:
 The 9.3 CR2 release must be installed on a v9.3 Gateway.
If you have made customizations to the 
/opt/SecureSpan/JDK 
folder, back up this folder before installing 9.3 CR2. This cumulative release upgrades the JDK to 1.8.0_172 and reverts some customizations that were applied to 
/opt/SecureSpan/JDK
. For example, removal of some 
/jre/lib/ext
 libraries and changes to the 
java.security
 file. 
 
Using a Luna HSM?
 If you did not back up java.security, you must reapply "com.safenetinc.luna.provider.createExtractableKeys=true" to 
java.security
Fixed Issue ID
Description
DE342952
Introduced a checkbox, 
Connection timeout
, in the 
Raw TCP Routing Properties
 dialog to allow you to specify the connection timeout value for socket connection. For more information, see Route via Raw TCP Assertion.
DE319759
Corrected an issue where the process controller log was displaying an error "Couldn't get HOST.cpuTemp value (Couldn't get CPU temperature)".
DE328317
Corrected an issue where ESM migration is failing with null pointer, when there is a mismatch in the policy that is mapped from source cluster policy and destination cluster policy with different assertion at one ordinal.
DE337924
Corrected a memory issue that affected Hardware Security Modules connected to the Gateway.
DE339252
Corrected an issue where migrating the "Load Previous Mappings" button results in a "an internal error occurred".
DE341493
Corrected an issue that prevented customized error response messages from being returned in a Route via MQ Native Assertion policy.
DE342088
Corrected the Query LDAP Assertion to correctly parse context variable in the base DN field.
DE342376
Corrected a security issue with the Require SSH Credentials Assertion in the Gateway. 
DE343232
Corrected an issue where the UseHTTPOnlyCookies ACO parameter does not reflect in the cookie string as HttpOnly when it is set to 'yes'. 
DE343361
Corrected an issue where authorization is failing when Idle Session Timeout value is not enabled or set to 0 in CA SSO.
DE347523
Updated the Gateway so that you can prevent response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. For examples, special characters such as '{' and '}'.
To allow characters that violate RFC 2396 in the request URL:
  1. Open this file for editing:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add this line to the file:
    tomcat.util.http.parser.HttpParser.requestTargetAllow = {}|<>
    Where: '
    {}|<>
    ' are the unwise characters to enable. This will enable the usage of '{', '}', '|', '<', and '>'.
    You should only enable the character(s) you need. 
  3. Save and exit the properties files, and then restart the Gateway:
    # service ssg restart
DE351400
Corrected inconsistent RESTman behavior in Gateway cluster nodes.
DE360787
US213587
Added a new option "Omit Host header" to the Route via HTTP(S) Assertion. This setting allows you to omit including a host header for HTTP/1.0.
US491695
Upgraded JDK to 1.8.0_172.
DE361605
Removed all 
3DES_EDE_CBC
 ciphers
 
from the default supported cipher list by Oracle (as of JDK 1.8.0_171) for security reasons.
If you need any of these ciphers for legacy compatibility, do the following:
  1. Open the 
    java.security
     file for editing.
  2. Modify 
    jdk.tls.disabledAlgorithms
     to re-enable the ciphers by removing the "3DES_EDE_CBC" filter.
What happens next?
  • If you have any of the 
    disabled ciphers
     selected in an 
    existing 
    listening port configuration, they remain selected. However, these ciphers
     will not work
     unless the 
    jdk.tls.disabledAlgorithms
     setting is modified.
  • If you 
    create a new
     listen port and do not see the deprecated ciphers, ensure 
    jdk.tls.disabledAlgorithms
     setting is modified and then do the following. 
     
     
Do the following to make all deprecated ciphers visible in the Policy Manager UI:
  1. Open 
    Policy Manager.ini
     for editing.
  2. Add this property: 
    -Dcom.l7tech.console.connector.includeAllCiphers=true
     
  3. Save and exit, then restart the Policy Manager (if it was currently running).
  4. Open the properties for your listen port and then select the 
    SSL/TLS Settings
     tab. All ciphers should be visible now.
  5. Select your deprecated cipher and save and exit.
 The deprecated cipher will continue to be visible for this specific listen port even if the property in step 2 is removed.
In addition to the listen port, you can select ciphers elsewhere on the Gateway. Refer to Selecting Cipher Suites for a detailed description of other areas where you may need to also select your deprecated cipher.
DE334838
Corrected an issue where Evaluate Math Expression Assertion the gateway generates 
Premature End of File
 error while calculating the processing time.
DE336259
Added options to allow empty callback value and more supported signature methods RSA-256, RSA-512 for Generate OAuth Signature Base String Assertion.
DE342946
Corrected an issue where Swagger validation fails after upgrade to 9.3.
DE363616
Corrected an issue where Policy Manager Error window is displayed when adding Validate Against NCES Requirements assertion to service policy.
Issues Resolved in Version 9.3 CR3
The 9.3 CR3 cumulative release includes the contents of CR and addresses these issues. 
Note:
 The 9.3 CR3 release must be installed on a v9.3 Gateway.
Fixed Issue ID
Description
US531573
Updated the JDK version to JDK 1.8.0_181.
 
Note
: For more information, see JDK Release Notes in Oracle documentation.
DE288689
Enhanced the Gateway patcher so that errors are reported, with more detailed logging added to the sspc logs.
DE343053
Added a new "Skip Validation" option to the Access Resource Protected by Oracle Access Manager Assertion, to help prevent certain failures.
DE347516
Corrected the Evaluate JSON Path Expression V2 Assertion to prevent a "NullPointerException" error from occurring.
DE353852
Corrected an issue that caused slowness in signing JSON Web Tokens.
DE356626
Updated the Create JSON Web Key Assertion so that it uses the correct Base64 encoding for the "x5t" attribute.
DE360516
Corrected an issue that prevented the Gateway from starting after upgrading from version 9.2 to 9.3.
DE361031
Corrected an issue that caused excessive latency on the Gateway.
DE361214
Updated the Evaluate JSON Path Expression V2 Assertion so that is no longer appends unexpected "=" characters to the output.
DE361245
Corrected errors that occurred when version 9.3 CR1 is installed.
DE361445
Introduced the following assertions so you can change a user's password and enable the user account in the CA Single Sign-On user directory:
DE362150
Updated the Validate Against Swagger Document Assertion to add the "
<prefix>
 
.
path" context variable. This allows you to see the path in the Swagger document against which the request was validated.
DE362814
Resolved a handshake issue that impacted certain ciphers.
DE363154
Corrected an issue that caused a performance impact on the Gateway..
DE363569
Corrected an issue that caused slowdowns with Cassandra connections.
DE364175
Improved the output logs from the Container Gateway to match those produced by the standard Appliance Gateway.
DE364397
Corrected an issue that produced an error when switching paths in a WebSocket connection.
DE364424
DE365643
Added the new 
pkix.crl.invalidateCrlCacheOnNextUpdate 
 cluster property 
This property invalidates the CRL on the next update time that is embedded in the CRL. The default value of this CWP is
 
 
false
. Set this property to 
true
 if you do not intend to use the cached value when stale.
DE365432
Corrected the Route via SSH2 Assertion to close SCP sessions after use.
DE366357
Corrected an issue that caused the default HTTP port to be created, even though custom ports are specified in a bootstrap bundle (when auto-provisioning a migration bundle).
DE367210
Corrected an error that occurred when an OAuth callback URL exceeded 200 characters.
DE369411
Corrected an issue that caused the Container Gateway to ignore user parameters specified in the JDBC URL (through the SSG_DATABASE_JDBC_URL environment variable).
DE369448
Addressed several issues to improve the performance and stability of the Gateway.
DE372677
Corrected an issue that caused a mismatch between the number of log items displayed in the log viewer versus the actual number of items when viewing the log file directly. .
DE375497
Enhanced the SSG_DATABASE_PASSWORD environment variable to accept special characters.
DE376725
Added the new 
json.evalJsonPathAcceptEmptyArray 
 Evaluate JSON Path Expression Assertion. This property preserves the backward compatibility in resulting empty arrays. By default, the value of this property is set to 
true
. If this property value is set to 
false
, the assertion is falsified for empty arrays.
F58412
Major enhancements to the Send Email Alert Assertion. Changes include the ability to:
  • Send emails as HTML
  • Send emails with hyperlinks and attachments
  • Control the attachment size through a cluster property
Issues Resolved in Version 9.3 CR4
The 9.3 CR4 cumulative release includes the contents of CR and addresses these issues. 
Note:
 The 9.3 CR4 release must be installed on a v9.3 Gateway.
 
Important!
 You must install 9.3 CR4 Policy Manager if you upgrade CA API Gateway to 9.3 CR4 release.
Fixed Issue ID
Description
DE328610
Corrected an issue where the 
Protect Against Code Injection Assertion
 failed to protect against HTML/JavaScript code injection if the request included <svg> tag. The <svg> tag is now added in the blacklisted HTML/JavaScript tags of the assertion.
DE328893
Enhanced the  to protect against Hex/Octal Encoded HTML/JavaScript Injection.
DE328904
DE328905
Corrected an issue where the 
Protect Against Code Injection Assertion
 did not protect if the form-post values contain invalid characters. 
DE346288
Corrected an issue where applying a Route via MQ Native Assertion within an encapsulated assertion, the request message is not sent and a stacktrace is logged in the audit logs.
DE356387
Corrected an issue where if a node is renamed in a cluster and then shut down for more than an hour, the name of the node changes to default when the node is started again. The default value of the system property, 
com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds
, is now 
7776000 (3 months)
.
DE363927
Corrected an issue that prevented the Configure Message Streaming assertions from streaming a response back to the client without modification.
DE364342
Corrected an issue where XSL-Transformation might fail when a service is called with empty or invalid XML payload.
DE365919
Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
DE366529
Corrected an issue that caused 
Route via HTTP
 assertion to throw an exception when multiple URLs are configured in the Route via HTTP assertion and all the URLs return 404 error.
DE371781
DE375236
Corrected an issue that prevented Gateway from connecting to an Azure MySQL database due to the '@' special character requirement for the MySQL server admin login name (e.g., '[email protected]'). The '@' symbol is now recognized by Gateway for user names.
DE371803
Corrected an MQ encoding issue that prevented Gateway from reading special characters from an MQ queue.
DE375782
Corrected an issue that caused Gateway to restart in Azure due to high memory usage.
DE378224
Corrected pagination issues in the query results when using Microsoft Active Directory in the 
Query LDAP
 assertion.
 
Note:
 The LDAP Group Query in Gateway is not showing results. See Known Issues for the workaround.
DE378269
DE382814
Gateway now supports MySQL 5.7 TLS 1.2 communication.
DE379142
Corrected a Policy Manger connection issue when using an external identity provider.
DE380915
Corrected an issue where 
Java Web Start
 application in Policy Manager was not working as some libraries and folders were missing.
DE384413
 Evaluate JSON Path Expression V2 assertion to see null results.
DE384931
The Gateway now supports the diffie-hellman-group14-sha1 as preferred algorithm for inbound/outbound SSH2 traffic.
DE386980
Corrected an issue that caused the Execute Salesforce Operation Assertion to not update fields from non-blank/null to blank/null.
DE387219
Corrected an issue that caused the connector object to hold service details when changing the direction of the queue from Inbound to Outbound in 
MQ Native Queue Properties
 dialog.
DE388478
Corrected an issue where if a JSON payload contains foreign characters, then 
Evaluate JSON Path Expression
 assertion and 
Evaluate JSON Path Expression V2
 assertion converts the foreign characters to unicode.
DE389165
Corrected an issue that prevented 70 or more concurrent connections to the Gateway.
US552050
Updated the JDK version to 8u192.
 
Note:
 For more information, see JDK Release Notes in Oracle documentation.
Issues Resolved in Version 9.3 CR5
The 9.3 CR5 cumulative release includes the contents of CR and addresses these issues. 
Note:
 The 9.3 CR5 release must be installed on a v9.3 Gateway.
AdoptOpenJDK Support
Beginning with version 9.3 CR5, the Java Development Kit (JDK) for the appliance form factor of Gateway will be switched from Oracle to AdoptOpenJDK (8u222-b10). Before upgrading your Gateway, please save a copy of your java.security file in case you have customized it.For software form factor Gateway users, we also recommend using AdoptOpenJDK 8u222+ beginning with 9.3 CR5.As a result of the switch-over, the Policy Manager browser client will no longer be supported from this version and onward.For an FAQ on AdoptOpenJDK and its impact on the API Gateway, see the announcement on the Communities blog.
Solaris 10 Users
There is a known issue with Solaris 10 and AdoptOpenJDK as documented in the Oracle bug report here.Customers running the software form factor of the Gateway with Solaris 10 are required to apply the 150636-01 Solaris patch as stated in the bug report prior to installing Version 9.3 CR5 with the recommended AdoptOpenJDK 8u222-b10.
Fixed Issue ID
Description
DE212225
An issue causing the syslog server to be unreachable which resulted in the Gateway to hang is now fixed.
DE218895
Corrected an issue that prevented the saving of cloned log sinks due to invalid characters in the log sink name. 
DE219165
Limited Listen Port names to 128 characters or less to prevent SSM from throwing an error.
DE368338
Corrected an issue that caused the SSG log to show stack trace at Severe level when the Route via HTTP assertion is given an invalid port number.
DE384246
Corrected a performance issue caused by the HTTP(S) routing assertion with authorization headers. Introduced a cluster property
io.httpRequestAuthzHashAlg
, to hash the authorization header so that subsequent requests from the same host, port, and with the same authorization header can reuse the outbound connection.
DE388060
 Corrected an issue where the 
Check IP
 check box, when not selected, in Manage CA Single Sign-On Configurations throws an error when trying to connect to an SSO server.
DE392310
Corrected an issue in the Gateway Migration Utility that caused a private key to be mapped to more keys than intended.
DE394505
Corrected an issue where Gateway was not able to verify an XML Element.
DE394565
Policy Manager enforced a maximum of 10,000 records returned for the Perform JDBC Query assertion. This limitation no longer exists. The new maximum limit for records returned is the max Java integer (2^31 - 1). Your JDBC driver may restrict this to 50 million.
DE395766
Corrected an issue with the removeStaleNodes schedule task that caused a database deadlock.
DE401078
Added a 'isAuthHeader' parameter to the Generate OAuth Signature Base String assertion to prevent the generation of an invalid signature base string for URL query parameters.
DE402975
DE413457
Corrected an issue where Query LDAP assertion failed if the 
Maximum results
 field was set to a value more than 9999.
DE403542
Introduced a new Audit Archiver cluster property, auditArchiver.db.defaultDiskThreshold, that allows you to set the default disk space threshold for Mysql DB data file.
DE404616
Corrected an issue that caused partial downloads of large files (e.g., larger than 1.5 GB) via SFTP with the Route Via SSH2 Assertion.
DE405971
Renamed the signature methods "RSA/SHA-256" to "RSASSA-PSS/SHA-256". Previously, "RSA/SHA-256" was redundant and both were enabled when either one was selected.
DE406143
Corrected an issue that caused the Gateway to insufficiently consult the DNS to catch changes, thereby causing performance issues for host name IP caching.
DE416831
 
Corrected an issue when a Certificate is trusted and enabled for SSL Outbound, it does not check 
io.httpsHostVerify
 cluster property.
 
DE417596
Boolean validation type is now added to the cluster property, 
 
json.evalJsonPathAcceptEmptyArray
.
 
DE419099
Corrected a MySQL deadlock error when upgrading Gateway 8.4 to 9.4 by modifying a 
staleNodeCleanUp
 task.
DE420260
Corrected an issue in the Convert Audit Record to XML assertion, where LF and CR control characters were replaced with 
?
 in the output.
DE426714
Corrected issues in the Rate Limit Assertion and the Cluster_info table that caused a divide by 0 error and node deadlock.
US567674
JRE 8 is now included in the Gateway Policy Manager installation package for Linux.
US602713
AdoptOpenJDK will be the officially supported JDK for the Gateway as CA Technologies shifts towards supporting open-source implementations of Java. For an FAQ on this switch over, see the announcement on the Communities blog.