Resolved Issues

Issues Resolved in Version 9.3
Fixed Issue ID
Outbound client mutual authentication keep-alive is now enabled by default.
Previously, enabling this required a manual change to the Gateway system property 
to 'true'; otherwise, a new connection would be created for each pass.
Corrected an issue with RBAC role not allowing CA SSO to be registered.Userwas unable to register an SSO configuration if the permission had been granted with a scope rather than <ALL>. This has since been fixed.
Corrected an issue where Internet Explorer was unable to handle multiple headers resulting from Ajax calls to the Gateway. This was resolved by adding a new cluster-wide property. See Process CORS Request Assertion for more information.
Corrected an issue which prevented importing certificate when there were international characters in the "issued to" field.
Corrected an issue where the software database keystore might become corrupted when large expiry days was entered. The Policy Manager now reminds you that "Days until expiry must not push beyond year 9999".
Corrected an issue where the logged CN from the Require SSL or TLS Transport Assertion is from the client certificate's issuer CA, and not from actual CN of the Client Certificate.
Corrected a couple of NullPointerException issues with the AdminSessionManager. 
Corrected an issue with RBAC for Manage Identity Providers role. A user with this role now has permissions and visibility into Identity Provider properties.
Corrected an issue where not allxpathquery results were capitalized when using the upper-case function.
Corrected an issue where the extraction of SAML attributes terminated Gateway service when an attribute was empty.
Corrected an issue where the Query LDAP Assertion returned NULL.
The Gateway is now able to process special characters (specifically £) in stored passwords.
Corrected an issue with Accumulate Data in Memory Assertion. Previously, attempts to use the assertion to optimize shipment of audit logs off-box were not successful due to log records being corrupted. This issue has been fixed.
If a JSON object contains a forward slash in the JSON object input, then the Gateway appends a backslash to 'escape' the forward slash in the cluster property to 'true'.
Corrected an issue where the Create Routing Strategy Assertion would not function within a Scheduled Task.
Corrected an issue where Validate JSON Schema Assertion did not give results according to the JSON Schema specifications.
Corrected an issue where the user was able to access WebSocket Connection after installing the CA API Gateway Enterprise license, but was unable to create a connection.
Corrected a caching issue with the Perform JDBC Query Assertion. The maximum age for a JDBC connection has been increased from 500 ms to 5000 ms.
Corrected an issue with the 
 failing when running on a Windows server. This occurred when there were spaces in the directory path, and has since been fixed.
Corrected the log output order when using Include Policy Fragment Assertion. Previously, policy logs from an include policy would be displayed in a reverse order. This has since been fixed.
Corrected an issue where Enterprise Service Manager fails to migrate cluster properties greater than 8192 characters in length. The result was that the migrated property was either empty or was corrupted.
Corrected an issue where the Validate Against Swagger Document Assertion failed to validate the HEAD method.
Corrected false positive results from the Evaluate JSON Path Expression V2 Assertion.
Corrected an issue where an error dialog appeared in the Customize Error Response Assertion when highlighting all text (select all) in the "Response Body" using a multi-byte keyboard.
Corrected an issue where new inputs to existing encapsulated assertions were not propagated correctly. Previously, the new inputs were only propagated by opening and saving each instance of the encapsulated assertion in each service policy.
Corrected an issue where the invalid characters appear in the response to a service which does not have charset (UTF-8) in its content type header.
Corrected an issue which prevented you from accessing WebSocket Connection to view all connections after installing the CA API Gateway Enterprise license.
Corrected an issue where the Decode JSON Web Token Assertion was failing inconsistently with Gateway's standard policy execution logic.
Corrected an issue where policy migration failed due spaces in the certificate common name.
Corrected an issue with the Route via SSH2 Assertion, where enabling "Validate Servers host key" in the assertion causes a "9434: SSH routing error".
Corrected an issue where JWT policy migration with "Sign Payload" option enabled failed when using the Enterprise Server Manager (ESM).
Corrected a connection issue between the Gateway and OCSP (Online Certificate Status Protocol) servers, where the connection was stuck in a CLOSE_WAIT loop.
Corrected an issue with Kerberos Smart Card login error after updating from Gateway v8.3 to v9.2. Kerberos login now works as expected.
There was an issue with updating cluster-wide property via RESTman when the character length exceeded 131,072. This issue has been fixed and maximum length has been increased to 4,194,304 characters.
Corrected an issue where entering a shorthand version of a time unit (for example, "5m" for five minutes) for the value of inbound and outbound WebSocket Cluster Properties would render the Gateway unable to start.
Corrected a GMU (Gateway Migration Utility) issue that caused an error when using the templatized command for dependencies (IDT1).
Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
Corrected an issue where an incorrect error message was returned when validating using JSON Schema.
Corrected the Route via JMS Assertion to allow JMS properties that begin with "JMSX" and "JMS_" to pass through when you use the "Customize JMS message properties to forward" option. If you have incorporated custom branching logic to handle these properties, you may remove this logic.
Corrected Policy Manager stability issues.
Process Controller now supports TLS v1.1 and TLS v1.2 as per the latest PCI compliance. 
Using TLS v1.0 is no longer recommended from a security standpoint. To learn how to disable TLS v.1.0, refer to this Knowledge Base article: "TEC1620697 - How to disable TLS 1.0 usage in CA API Gateway and ESM" on the CA Support site.
Corrected an issue where Gateway returned the wrong response code for the CWD command when it worked as an FTP proxy.
Corrected the Service and Policy tree in the Policy Manager to no longer collapse the root folder when a fragment is converted to an encapsulated assertion.
Corrected an issue where application events triggered unnecessary transaction handling causing application performance issues.
Corrected an issue with GMU (Gateway Migration Utility), where routing assertions in the migrated policy continued to search for the key on the source environment.
Corrected an issue where the syslog sink failed to reconnect to the log server automatically when the IP of log server changes.
Changed the Evaluate JSON Path Expression Assertion to log an INFO level audit rather than a WARNING audit when the JSON path is not found.
Issues Resolved in Version 9.3 CR1
The 9.3 CR1 cumulative release includes the contents of CR and addresses these issues. 
 The 9.3 CR1 release must be installed on a v9.3 Gateway.
Fixed Issue ID
Updated the JDK version to JDK 1.8.0 Update 162.
Java 8 Update 161 now restricts Diffie-Hellman keys that are less than 1024 bits.
If your 
CA API Gateway
 connects to any server that uses Diffie-Hellman (DH) for key exchange (as part of the SSL handshake), ensure that the server is configured to support DH key size that is 
greater than or equal to 1024 bits
. If the server is configured for DH key size 
less than 1024 bits
, the SSL handshake fails when the Gateway attempts to connect. To diagnose this issue:
  • Enable network trace logging on the Gateway (
  • In the Gateway logs, look for a SSLHandShake exception: ""
For additional information, see the "Restrict Diffie-Hellman keys less than 1024 bits" section of the JDK 8 Update Release Notes.
Corrected an error that caused a bundle import to fail if entities referenced in the bundle do not already exist in the target Gateway.
Corrected an issue that caused the Gateway to fail to start up when unsupported certificates are imported.
Changing a WebSocket connection now correctly updates all Gateway nodes, not just the node to which the Policy Manager is connected.
Corrected performance issues caused by internal libraries that were accessing the file system too frequently.
Corrected an issue that was causing the XMPP assertions to report a failure.
Corrected an intermittent JMS failure after migrating to the latest release.
Corrected intermittent errors that occurred in the Retrieve Kerberos Authentication Credentials Assertion.
Corrected an issue where HTTP redirects in the Policy Manager do not function correctly and instead returns an error.
Corrected an issue where idle or closed connections were not being cleaned up after use.
Corrected an issue that caused the Gateway to incorrectly report JSON structure validation errors.
Corrected an issue where authentication was rejected by SiteMinder Server when a non-default SSO zone name is specified along with 
Regenerate SSO Token 
Corrected an issue with the Gateway Dashboard that prevented audit information from being displayed for a single service. Previously, right-clicking the chart to select "Show Audit Events" when a specific service was selected resulted in no audit information. Audits were displayed only when "<All Services>"  was selected.
Corrected an issue where the Decode JSON Web Token Assertion on failure was leading to the failure of the entire policy.
Corrected a GMU migration issue where the 
option on destination gateway is enabled automatically.
Enhanced functionality to ensure that Agent Configuration Objects' details are accessible to the Gateway policy. A new field 
Agent Configuration Object
 has been added to the 
CA Single Sign-On Check Protected Resource Properties
. This field accepts agent configuration object name and fetches the details from CA SSO policy server to make it available at Gateway's policy level. These details can be used by Gateway policy author to construct a proper cookie.
Applied various security updates to third party libraries.
Issues Resolved in Version 9.3 CR2
The 9.3 CR2 cumulative release includes the contents of CR and addresses these issues. 
 The 9.3 CR2 release must be installed on a v9.3 Gateway.
If you have made customizations to the 
folder, back up this folder before installing 9.3 CR2. This cumulative release upgrades the JDK to 1.8.0_172 and reverts some customizations that were applied to 
. For example, removal of some 
 libraries and changes to the
Using a Luna HSM?
 If you did not back up, you must reapply "com.safenetinc.luna.provider.createExtractableKeys=true" to
Fixed Issue ID
Introduced a checkbox, 
Connection timeout
, in the 
Raw TCP Routing Properties
 dialog to allow you to specify the connection timeout value for socket connection. For more information, see Route via Raw TCP Assertion.
Corrected an issue where the process controller log was displaying an error "Couldn't get HOST.cpuTemp value (Couldn't get CPU temperature)".
Corrected an issue where ESM migration is failing with null pointer, when there is a mismatch in the policy that is mapped from source cluster policy and destination cluster policy with different assertion at one ordinal.
Corrected a memory issue that affected Hardware Security Modules connected to the Gateway.
Corrected an issue where migrating the "Load Previous Mappings" button results in a "an internal error occurred".
Corrected an issue that prevented customized error response messages from being returned in a Route via MQ Native Assertion policy.
Corrected the Query LDAP Assertion to correctly parse context variable in the base DN field.
Corrected a security issue with the Require SSH Credentials Assertion in the Gateway. 
Corrected an issue where the UseHTTPOnlyCookies ACO parameter does not reflect in the cookie string as HttpOnly when it is set to 'yes'. 
Corrected an issue where authorization is failing when Idle Session Timeout value is not enabled or set to 0 in CA SSO.
Updated the Gateway so that you can prevent response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. For examples, special characters such as '{' and '}'.
To allow characters that violate RFC 2396 in the request URL:
  1. Open this file for editing:
  2. Add this line to the file:
    tomcat.util.http.parser.HttpParser.requestTargetAllow = {}|<>
    Where: '
    ' are the unwise characters to enable. This will enable the usage of '{', '}', '|', '<', and '>'.
    You should only enable the character(s) you need. 
  3. Save and exit the properties files, and then restart the Gateway:
    # service ssg restart
Corrected inconsistent RESTman behavior in Gateway cluster nodes.
Added a new option "Omit Host header" to the Route via HTTP(S) Assertion. This setting allows you to omit including a host header for HTTP/1.0.
Upgraded JDK to 1.8.0_172.
Removed all 
from the default supported cipher list by Oracle (as of JDK 1.8.0_171) for security reasons.
If you need any of these ciphers for legacy compatibility, do the following:
  1. Open the
     file for editing.
  2. Modify 
     to re-enable the ciphers by removing the "3DES_EDE_CBC" filter.
What happens next?
  • If you have any of the 
    disabled ciphers
     selected in an 
    listening port configuration, they remain selected. However, these ciphers
     will not work
     unless the 
     setting is modified.
  • If you 
    create a new
     listen port and do not see the deprecated ciphers, ensure 
     setting is modified and then do the following. 
Do the following to make all deprecated ciphers visible in the Policy Manager UI:
  1. Open 
    Policy Manager.ini
     for editing.
  2. Add this property: 
  3. Save and exit, then restart the Policy Manager (if it was currently running).
  4. Open the properties for your listen port and then select the 
    SSL/TLS Settings
     tab. All ciphers should be visible now.
  5. Select your deprecated cipher and save and exit.
 The deprecated cipher will continue to be visible for this specific listen port even if the property in step 2 is removed.
In addition to the listen port, you can select ciphers elsewhere on the Gateway. Refer to Selecting Cipher Suites for a detailed description of other areas where you may need to also select your deprecated cipher.
Corrected an issue where Evaluate Math Expression Assertion the gateway generates 
Premature End of File
 error while calculating the processing time.
Added options to allow empty callback value and more supported signature methods RSA-256, RSA-512 for Generate OAuth Signature Base String Assertion.
Corrected an issue where Swagger validation fails after upgrade to 9.3.
Corrected an issue where Policy Manager Error window is displayed when adding Validate Against NCES Requirements assertion to service policy.
Issues Resolved in Version 9.3 CR3
The 9.3 CR3 cumulative release includes the contents of CR and addresses these issues. 
 The 9.3 CR3 release must be installed on a v9.3 Gateway.
Fixed Issue ID
Updated the JDK version to JDK 1.8.0_181.
: For more information, see JDK Release Notes in Oracle documentation.
Enhanced the Gateway patcher so that errors are reported, with more detailed logging added to the sspc logs.
Added a new "Skip Validation" option to the Access Resource Protected by Oracle Access Manager Assertion, to help prevent certain failures.
Corrected the Evaluate JSON Path Expression V2 Assertion to prevent a "NullPointerException" error from occurring.
Corrected an issue that caused slowness in signing JSON Web Tokens.
Updated the Create JSON Web Key Assertion so that it uses the correct Base64 encoding for the "x5t" attribute.
Corrected an issue that prevented the Gateway from starting after upgrading from version 9.2 to 9.3.
Corrected an issue that caused excessive latency on the Gateway.
Updated the Evaluate JSON Path Expression V2 Assertion so that is no longer appends unexpected "=" characters to the output.
Corrected errors that occurred when version 9.3 CR1 is installed.
Introduced the following assertions so you can change a user's password and enable the user account in the CA Single Sign-On user directory:
Updated the Validate Against Swagger Document Assertion to add the "
path" context variable. This allows you to see the path in the Swagger document against which the request was validated.
Resolved a handshake issue that impacted certain ciphers.
Corrected an issue that caused a performance impact on the Gateway..
Corrected an issue that caused slowdowns with Cassandra connections.
Improved the output logs from the Container Gateway to match those produced by the standard Appliance Gateway.
Corrected an issue that produced an error when switching paths in a WebSocket connection.
Added the new 
 cluster property 
This property invalidates the CRL on the next update time that is embedded in the CRL. The default value of this CWP is
. Set this property to 
 if you do not intend to use the cached value when stale.
Corrected the Route via SSH2 Assertion to close SCP sessions after use.
Corrected an issue that caused the default HTTP port to be created, even though custom ports are specified in a bootstrap bundle (when auto-provisioning a migration bundle).
Corrected an error that occurred when an OAuth callback URL exceeded 200 characters.
Corrected an issue that caused the Container Gateway to ignore user parameters specified in the JDBC URL (through the SSG_DATABASE_JDBC_URL environment variable).
Addressed several issues to improve the performance and stability of the Gateway.
Corrected an issue that caused a mismatch between the number of log items displayed in the log viewer versus the actual number of items when viewing the log file directly. .
Enhanced the SSG_DATABASE_PASSWORD environment variable to accept special characters.
Added the new 
 Evaluate JSON Path Expression Assertion. This property preserves the backward compatibility in resulting empty arrays. By default, the value of this property is set to 
. If this property value is set to 
, the assertion is falsified for empty arrays.
Major enhancements to the Send Email Alert Assertion. Changes include the ability to:
  • Send emails as HTML
  • Send emails with hyperlinks and attachments
  • Control the attachment size through a cluster property
Issues Resolved in Version 9.3 CR4
The 9.3 CR4 cumulative release includes the contents of CR and addresses these issues. 
 The 9.3 CR4 release must be installed on a v9.3 Gateway.
 You must install 9.3 CR4 Policy Manager if you upgrade CA API Gateway to 9.3 CR4 release.
Fixed Issue ID
Corrected an issue where the 
Protect Against Code Injection Assertion
 failed to protect against HTML/JavaScript code injection if the request included <svg> tag. The <svg> tag is now added in the blacklisted HTML/JavaScript tags of the assertion.
Enhanced the  to protect against Hex/Octal Encoded HTML/JavaScript Injection.
Corrected an issue where the 
Protect Against Code Injection Assertion
 did not protect if the form-post values contain invalid characters. 
Corrected an issue where applying a Route via MQ Native Assertion within an encapsulated assertion, the request message is not sent and a stacktrace is logged in the audit logs.
Corrected an issue where if a node is renamed in a cluster and then shut down for more than an hour, the name of the node changes to default when the node is started again. The default value of the system property, 
, is now 
7776000 (3 months)
Corrected an issue that prevented the Configure Message Streaming assertions from streaming a response back to the client without modification.
Corrected an issue where XSL-Transformation might fail when a service is called with empty or invalid XML payload.
Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
Corrected an issue that caused 
Route via HTTP
 assertion to throw an exception when multiple URLs are configured in the Route via HTTP assertion and all the URLs return 404 error.
Corrected an issue that prevented Gateway from connecting to an Azure MySQL database due to the '@' special character requirement for the MySQL server admin login name (e.g., '[email protected]'). The '@' symbol is now recognized by Gateway for user names.
Corrected an MQ encoding issue that prevented Gateway from reading special characters from an MQ queue.
Corrected an issue that caused Gateway to restart in Azure due to high memory usage.
Corrected pagination issues in the query results when using Microsoft Active Directory in the 
Query LDAP
 The LDAP Group Query in Gateway is not showing results. See Known Issues for the workaround.
Gateway now supports MySQL 5.7 TLS 1.2 communication.
Corrected a Policy Manger connection issue when using an external identity provider.
Corrected an issue where 
Java Web Start
 application in Policy Manager was not working as some libraries and folders were missing.
 Evaluate JSON Path Expression V2 assertion to see null results.
The Gateway now supports the diffie-hellman-group14-sha1 as preferred algorithm for inbound/outbound SSH2 traffic.
Corrected an issue that caused the Execute Salesforce Operation Assertion to not update fields from non-blank/null to blank/null.
Corrected an issue that caused the connector object to hold service details when changing the direction of the queue from Inbound to Outbound in 
MQ Native Queue Properties
Corrected an issue where if a JSON payload contains foreign characters, then 
Evaluate JSON Path Expression
 assertion and 
Evaluate JSON Path Expression V2
 assertion converts the foreign characters to unicode.
Corrected an issue that prevented 70 or more concurrent connections to the Gateway.
Updated the JDK version to 8u192.
 For more information, see JDK Release Notes in Oracle documentation.
Issues Resolved in Version 9.3 CR5
The 9.3 CR5 cumulative release includes the contents of CR and addresses these issues. 
 The 9.3 CR5 release must be installed on a v9.3 Gateway.
AdoptOpenJDK Support
Beginning with version 9.3 CR5, the Java Development Kit (JDK) for the appliance form factor of Gateway will be switched from Oracle to AdoptOpenJDK (8u222-b10). Before upgrading your Gateway, please save a copy of your file in case you have customized it.For software form factor Gateway users, we also recommend using AdoptOpenJDK 8u222+ beginning with 9.3 CR5.As a result of the switch-over, the Policy Manager browser client will no longer be supported from this version and onward.For an FAQ on AdoptOpenJDK and its impact on the API Gateway, see the announcement on the Communities blog.
Solaris 10 Users
There is a known issue with Solaris 10 and AdoptOpenJDK as documented in the Oracle bug report here.Customers running the software form factor of the Gateway with Solaris 10 are required to apply the 150636-01 Solaris patch as stated in the bug report prior to installing Version 9.3 CR5 with the recommended AdoptOpenJDK 8u222-b10.
Fixed Issue ID
An issue causing the syslog server to be unreachable which resulted in the Gateway to hang is now fixed.
Corrected an issue that prevented the saving of cloned log sinks due to invalid characters in the log sink name. 
Limited Listen Port names to 128 characters or less to prevent SSM from throwing an error.
Corrected an issue that caused the SSG log to show stack trace at Severe level when the Route via HTTP assertion is given an invalid port number.
Corrected a performance issue caused by the HTTP(S) routing assertion with authorization headers. Introduced a cluster property
, to hash the authorization header so that subsequent requests from the same host, port, and with the same authorization header can reuse the outbound connection.
 Corrected an issue where the 
Check IP
 check box, when not selected, in Manage CA Single Sign-On Configurations throws an error when trying to connect to an SSO server.
Corrected an issue in the Gateway Migration Utility that caused a private key to be mapped to more keys than intended.
Corrected an issue where Gateway was not able to verify an XML Element.
Policy Manager enforced a maximum of 10,000 records returned for the Perform JDBC Query assertion. This limitation no longer exists. The new maximum limit for records returned is the max Java integer (2^31 - 1). Your JDBC driver may restrict this to 50 million.
Corrected an issue with the removeStaleNodes schedule task that caused a database deadlock.
Added a 'isAuthHeader' parameter to the Generate OAuth Signature Base String assertion to prevent the generation of an invalid signature base string for URL query parameters.
Corrected an issue where Query LDAP assertion failed if the 
Maximum results
 field was set to a value more than 9999.
Introduced a new Audit Archiver cluster property, auditArchiver.db.defaultDiskThreshold, that allows you to set the default disk space threshold for Mysql DB data file.
Corrected an issue that caused partial downloads of large files (e.g., larger than 1.5 GB) via SFTP with the Route Via SSH2 Assertion.
Renamed the signature methods "RSA/SHA-256" to "RSASSA-PSS/SHA-256". Previously, "RSA/SHA-256" was redundant and both were enabled when either one was selected.
Corrected an issue that caused the Gateway to insufficiently consult the DNS to catch changes, thereby causing performance issues for host name IP caching.
Corrected an issue when a Certificate is trusted and enabled for SSL Outbound, it does not check 
 cluster property.
Boolean validation type is now added to the cluster property, 
Corrected a MySQL deadlock error when upgrading Gateway 8.4 to 9.4 by modifying a 
Corrected an issue in the Convert Audit Record to XML assertion, where LF and CR control characters were replaced with 
 in the output.
Corrected issues in the Rate Limit Assertion and the Cluster_info table that caused a divide by 0 error and node deadlock.
JRE 8 is now included in the Gateway Policy Manager installation package for Linux.
AdoptOpenJDK will be the officially supported JDK for the Gateway as CA Technologies shifts towards supporting open-source implementations of Java. For an FAQ on this switch over, see the announcement on the Communities blog.