Resolved Issues

22
gateway94
2
2
Issues Resolved in Version 9.4
The following issues are fixed in CA API Gateway 9.4:
Fixed Issue ID
Description
DE218036
Corrected an issue that caused the Gateway to reject requests where the Content-Encoding header is set to GZIP.
DE221350
Corrected an issue that caused the Policy Manager to close unexpectedly when it encountered an assertion without an icon.
DE240455
When configuring the CA Mobile API Gateway, it is now possible to configure an XMPP Inbound Port using the same port number on two different network interfaces.
DE251925
The Gateway no longer adds an extraneous "Content-Length: 0" to the header when the HTTP method does not have a body. Affected HTTP methods: GET, DELETE, HEAD, OPTIONS.
DE265359
Corrected a condition that allowed
ssgconfig
users to issue shell requests over SSH.
DE271778
Corrected an error that caused a bundle import to fail if entities referenced in the bundle do not already exist in the target Gateway.
DE283179
Corrected an issue that allowed root user operations to be performed from the Restricted Shell.
DE284327
Corrected an issue that caused the REST Management API to return the incorrect number of dependencies for a service.
DE286287
Corrected an issue with the Route via HTTP(S) Assertion where under certain conditions the logs report that the assertion succeeded, when in fact a response error occurred.
DE287665
When the database for a Gateway AMI Appliance is updated, the
gateway
user is incorrectly denied access to the database. This has been corrected.
DE288689
Enhanced the Gateway patcher so that errors are reported, with more detailed logging added to the sspc logs.
DE290398
Corrected an issue that caused the Gateway status to show "STARTING" instead of "RUNNING" when the
security.fips.enable
cluster property is set to "true".
DE290678
Corrected the audit messages generated by the Apply Rate Limit Assertion to be at the FINE level instead of INFO.
DE302739
Corrected a failure that occurred when performing a
migratein
with the Gateway Migration Utility (GMU).
DE306720
Corrected an error message that is displayed when using the Gateway Migration Utility with the "–trustCertificate" option.
DE306924
Corrected performance issues caused by internal libraries that were accessing the file system too frequently.
DE306944
Corrected an issue that was causing the XMPP assertions to report a failure.
DE310244
Corrected copy and paste errors that could occur when copying assertions from a policy fragment or composite assertions.
DE319759
Corrected an issue that caused the process controller log to display the error "Couldn't get HOST.cpuTemp value (Couldn't get CPU temperature)".
DE321971
Corrected several unexpected issues that could occur with the Execute Salesforce Operation Assertion.
DE324840
Corrected a performance issue that arose when setting a Kerberos ticket expiry time to "unlimited".
DE326553
When the Continue Processing Assertion to prevent failure of the policy.
DE326622
Corrected an issue that prevented audit events from being displayed when you select "Show Audit Events" for a specific service in the Gateway Dashboard.
DE327512
Updated the cluster property
contentType.otherTextualTypes
to support "application/graphqi".
DE328317
Corrected an issue where Enterprise Service Manager (ESM) migration is failing with null pointer, when there is a mismatch in the policy that is mapped from source cluster policy and destination cluster policy with different assertion at one ordinal.
DE329295
Corrected the JMS Inbound so that a "serviceFinished" callback is correctly invoked for non-HTTP traffic.
DE330274
Corrected an issue where an intermediate certificate is not the correct one after it is uploaded using Manage Private Keys.
DE330447
Updated Tomcat to the latest version of Tomcat 6.x.
DE331346
Updated the embedded database.
DE332398
Corrected caching conditions for security zones that prevented operations even after the security zone is removed. (Example: Assign a JDBC Connection to a security zone, and then remove that security zone. This should remove security for the JDBC connection, but you could not edit or remove that connection until you manually refreshed the JDBC cache.)
DE332690
Corrected an issue with the Enterprise Service Manager that prevented you from generating reports.
DE333386
Corrected an issue that caused the Gateway to incorrectly report JSON structure validation errors.
DE334838
Improvements were made to the custom assertion logging framework to display error messages during debug mode.
DE335796
Corrected an issue that caused newline characters in a cluster-wide property to be omitted when a service is migrated using the Enterprise Service Manager.
DE337487
Added the Sign Certificate Assertion, which processes a CSR (Certificate Signing Request) and generates a signed certificate.
DE337684
Updated the Decode JSON Web Token Assertion so that when it fails, it does not fail the entire policy.
DE337781
Corrected an issue where the Gateway used the old root certificate when the old root certificate was replaced by a new one with the same name.
DE338872
Corrected some issues with the Gateway upgrade process.
DE338973
DE256477
ClassCastException error observed while Gateway was processing messages has been resolved.
DE339252
Corrected an issue where migrating the "Load Previous Mappings" button results in a "an internal error occurred".
DE340275
Corrected an issued that occurred when multiple SPNs are present in the keytab file.
DE341493
Corrected an issue that prevented customized error response messages from being returned in a Route via MQ Native Assertion policy.
DE342088
Corrected the Query LDAP Assertion to correctly parse context variables in the base DN field.
DE342376
Corrected a security issue with the Require SSH Credentials Assertion in the Gateway.
DE342946
Corrected an issue where Swagger validation fails after upgrade to Gateway version 9.3.
DE342952
Corrected an issue that caused an Audit Sink policy timeout to block Gateway user login.
DE342980
Fixed the Validate Against Swagger Document Assertion to correctly enforce the "Require Security Credentials to be Present" option, when selected.
DE343053
Added a new "Skip Validation" option to the Access Resource Protected by Oracle Access Manager Assertion, to help prevent certain failures.
DE343232
Corrected an issue where the UseHTTPOnlyCookies ACO parameter does not reflect in the cookie string as HttpOnly when it is set to 'yes'.
DE343361
Corrected an issue where authorization is failing when Idle Session Timeout value is not enabled or set to 0 in CA SSO.
DE347516
Corrected the Evaluate JSON Path Expression V2 Assertion to prevent a "NullPointerException" error from occurring.
DE347523
Updated the Gateway so that you can prevent response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. For examples, special characters such as '{' and '}'.
To allow characters that violate RFC 2396 in the request URL:
  1. Open this file for editing:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add this line to the file:
    tomcat.util.http.parser.HttpParser.requestTargetAllow = {}{}\<>
    Where: '
    {}{}\<>
    ' are the unwise characters to enable.
  3. Save and exit the properties files, and then restart the Gateway:
    # service ssg restart
DE347794
Fixed the "Extract from WSDL" option in the Validate XML Schema Assertion to ensure correct results.
DE348956
When an encapsulated assertions uses a cluster property as an input argument, that cluster property is not included in the output of the migrateOut command. This has been fixed.
DE351400
Corrected inconsistent RESTman behavior in Gateway cluster nodes.
DE353852
Corrected an issue that caused slowness in signing JSON Web Tokens.
DE354243
Corrected an error that occurred when scaling a Container Gateway with two nodes.
DE356387
Corrected an issue that caused the Gateway node names to be reset to "Gateway 1", etc., after restarting.
DE356626
Corrected the Base64 encoding used by the Create JSON Web Key Assertion for the x5t attribute.
DE357001
Corrected an issue that caused the Bash shell to consume 100% of the CPU after you use "su - ssgconfig" to access the Gateway.
DE358275
Corrected a display error where the description of an identity provider group appears in the Search dialog, but not in the properties for that group.
DE360516
Corrected an issue that prevented the Gateway from starting after upgrading from version 9.2 to 9.3.
DE361031
Corrected an issue that caused excessive latency on the Gateway.
DE361214
Updated the Evaluate JSON Path Expression V2 Assertion so that is no longer appends unexpected "=" characters to the output.
DE361245
Corrected errors that occurred when version 9.3 CR1 is installed.
DE361445
Introduced the following assertions so you can change a user's password and enable the user account in the CA Single Sign-On user directory:
DE361894
Messages sent to the Gateway syslog server now include milliseconds.
DE362150
Updated the Validate Against Swagger Document Assertion to add the "
<prefix>
.
path" context variable. This allows you to see the path in the Swagger document against which the request was validated.
DE362490
Introduced enableSNISupport option to GMU to correct an issue where GMU fails to perform TLS handshake if server is Server Name Indication (SNI) enabled.
DE362663
JVM settings have been updated to remove deprecated flags.
DE362783
Updated the Process SAML Authentication Request Assertion so that an invalid SAML request or an invalid binding does not fail the entire policy.
DE362814
Resolved a handshake issue that impacted certain ciphers.
DE363569
Corrected an issue that caused slowdowns with Cassandra connections.
DE363927
Corrected an issue that prevented the Configure Message Streaming assertions from streaming a response back to the client without modification.
DE364175
Improved the output logs from the Container Gateway to match those produced by the standard Appliance Gateway.
DE364259
Corrected an issue with the Enterprise Service Manager that caused the hostname to be incorrect.
DE364342
Corrected the XSL transformation so that failures during the transformation do not cause an internal server error.
DE364397
Corrected an issue that produced an error when switching paths in a WebSocket connection.
DE364424
DE365643
Added the new
pkix.crl.invalidateCrlCacheOnNextUpdate
cluster property
.
This property invalidates the CRL on the next update time that is embedded in the CRL. The default value of this CWP is
false
. Set this property to
true
if you do not intend to use the cached value when stale.
DE365399
Corrected an issue that prevented the Gateway from retrieving headers from a custom assertion under certain conditions.
DE365432
Corrected the Route via SSH2 Assertion to close SCP sessions after use.
DE365919
Rules defined in listen ports were taking precedence over custom firewall rules. This has been corrected.
DE366357
Corrected an issue that caused the default HTTP port to be created, even though custom ports are specified in a bootstrap bundle (when auto-provisioning a migration bundle).
DE366490
The context variable
${request.soap.operation}
was not returning values when used in an encapsulated assertion
. This has been corrected.
DE366529
Corrected an issue where the Route via HTTP(S) Assertion would return a Java exception when routing with multiple URLs and a context variable is used for the HTTP response.
DE367210
Corrected an error that occurred when an OAuth callback URL exceeded 200 characters.
DE367258
DE372415
Corrected issues that caused the
${<prefix>.value}
variable in the Apply Throughput Quota Assertion to return incorrect values under certain conditions.
  • Condition #1: When the "Decrement" option is used, the context variable
    ${<prefix>.value}
    is supposed to return the value of the counter after decrement. But instead, the decrement delta was always being returned.
    For example, a policy contains two Apply Throughput Quota assertions. The first increments a counter by 2, while the second decrements the same counter by 1. After a request is submitted, the
    ${<prefix>.value}
    variable should contain "1" (2-1). Prior to the correction, the variable was returning "-1" (the amount of the decrement) in all cases.
  • Condition #2: The following parameters are set in the Apply Throughput Quota Assertion:
    • The Scalability slider is set to "Scalability" (far right).
    • The "Increment only within quota" option is selected.
    • The quota has been reached.
    For example, a quota of 100 per month has been reached and the assertion is executed once more. The actual counter value remains 100, but the
    ${<prefix>.value}
    variable is incorrectly set to 101. This correction ensures that the context variable reflects the actual counter value.
DE368578
Corrected an issue with the Apply Throughput Quota Assertion where setting the Scalability slider to the midpoint caused the assertion to behave as if the 'Consistency' setting (far left) was selected. Now, the midpoint setting correctly applies a blend of scalability and performance.
DE369411
Corrected an issue that caused the Container Gateway to ignore user parameters specified in the JDBC URL (through the SSG_DATABASE_JDBC_URL environment variable).
DE369448
Addressed several issues to improve the performance and stability of the Gateway.
DE369768
An issue occurred when using the (Non-SOAP) Decrypt XML Element assertions to encrypt/decrypt an element. If the certificate contains an OID in the Issuer DN, this error is displayed upon decryption: "Encryption recipient was not recognized as addressed to a private key possessed by this Gateway". This has been corrected.
DE371400
Corrected an issue with the Trusted Server Certificate option when used with the Route via HTTP(S) Assertion that caused verification of certificate path even after specifying the selected Trusted Server Certificate option. This correction stops verification of the complete certificate path if a subset of Server Certificate(s) is selected from the Trust Store.
DE371781
Corrected an error that occurred when creating a database for a Gateway running in the Azure Cloud.
DE371803
Corrected an MQ encoding issue that prevented Gateway from reading special characters from an MQ queue.
DE372409
Updated the Container Gateway so that parameters specified by the EXTRA_JAVA_ARGS environment variable take priority over those entered in
system.properties,
node.properties,
and cluster properties.
DE372677
Corrected an issue that caused the first line to be omitted when viewing logs from within the Policy Manager.
DE375497
Enhanced the SSG_DATABASE_PASSWORD environment variable to accept special characters.
DE375782
Corrected an issue that caused the Java heap utilization on the Gateway to increase unexpectedly over several days, which leads to the
ssg
service restarting.
DE376541
Corrected an error in the Access Resource Protected by Oracle Access Manager Assertion. This assertion was not setting the correct IP address in the cookie and was instead using the client IP address.
DE376725
Added the new
json.evalJsonPathAcceptEmptyArray
Evaluate JSON Path Expression Assertion. This property preserves the backward compatibility in resulting empty arrays. By default, the value of this property is set to
true
. If this property value is set to
false
, the assertion is falsified for empty arrays.
DE377733
Corrected the Read permissions for audits to make it more obvious that it is not permitted to delete audit events.
DE378089
Disabled the autocomplete of URLs in the OAuth Manager page of the Enterprise Service Manager, for security reasons.
DE378269
Gateway now supports MySQL 5.7 TLS 1.2 communication.
DE378704
Renamed the signature methods "RSA/SHA-256" to "RSASSA-PSS/SHA-256". Previously, "RSA/SHA-256" was redundant and both were enabled when either one was selected.
DE384931
The Gateway now supports the
diffie-hellman-group14-sha1
as preferred algorithm for inbound/outbound SSH2 traffic.
DE386111
Disabled log sinks in the Container Gateway, as they are not suitable for container environments.
DE386980
Corrected a Salesforce Operation Assertion issue where Salesforce does not reflect changes when a field is updated from non-blank to blank.
US213587
Corrected an issue where the Route via HTTP(S) assertion will always add a 'Host' header to a message, even if the 'HTTP Version' is set to 1.0 on the HTTP tab of HTTP(S) Routing Properties.
US347099
Outbound TCP Connections are now reused when Authorization Header is present. The reuse issue affected Gateway versions that preceded 9.3.
Issues Resolved in Version 9.4 CR1
The 9.4 CR1 cumulative release addresses the following issues.
Note:
The 9.4 CR1 release must be installed on a v9.4 Gateway.
Fixed Issue ID
Description
DE381438
Consistency tuning is now available as a configurable property for the Perform Cassandra Query Assertion.
DE394565
Policy Manager enforced a maximum of 10,000 records returned for the Perform JDBC Query assertion. This limitation no longer exists. The new maximum limit for records returned is the max Java integer (2^31 - 1). Your JDBC driver may restrict this to 50 million.
DE374776
Logging thresholds for the Docker container Gateway can now be configured with the new
log.console.threshold
property in the System Properties file OR as a Cluster-Wide Properties setting.
DE404616
The new cluster-wide property, ssh.routingInactiveTimeout has replaced ssh.routingInactiveInterval to fix file truncation experienced by some customers when transferring large files via SFTP.
US550782
The Apply Throughput Quota Assertion now supports context variable expressions as a time unit parameter value for defining the quota.
US554221
A database-less audit system that is compatible with the ELK (Elasticsearch, Logstash, and Kibana) stack is now available for the Container Gateway.
US571267
DE402124
The Extract Attributes from Certificate assertion is now enhanced so you can choose to publish the Extension Values in the form of context variables by providing the Extension Object Identifiers in the assertion properties.
DE384925
The cluster property, cassandra.maxSimultaneousRequestsPerHostThreshold, was earlier used to set the maximum connections per Cassandra host. It is now used to set the maximum number of simultaneous requests per Cassandra host. The default value changed from
8192
to
1024
when hostDistance=LOCAL.
The following Casssandra connection properties are added in this CR release:
  • Pooling properties:
    • coreConnectionsPerLocalHost
    • maxConnectionsPerLocalHost
    • coreConnectionsPerRemoteHost
    • maxConnectionsPerRemoteHost
    • newConnectionThreshold
  • Load balancing properties:
    • localDataCenterName
    • numOfUsedHostsPerRemoteDC
DE389409
Corrected an issue where the cluster-wide property validation type for the siteminder.session.generateCookieString was set incorrectly and a WARNING message was displayed when Gateway started.
DE346288
Corrected an issue where applying a Route via MQ Native Assertion within an encapsulated assertion, the request message is not sent and a stacktrace is logged in the audit logs.
DE376544
Updated Gateway to display appropriate audit messages with ERROR tag instead of INFO tag.
DE377433
Corrected an issue that caused Gateway to accept an incorrect Queue name in the
MQ Native Queue Properties
dialog, which resulted in increasing the number of connections on the configured channel until the MQ server denied new connections. Gateway now throws an error when an incorrect Queue name is provided.
DE378224
Corrected pagination issues in the query results when using Microsoft Active Directory in the
Query LDAP
assertion.
Note:
The LDAP Group Query in Gateway is not showing results. See Known Issues for the workaround.
DE379142
Corrected a Policy Manger connection issue when using an external identity provider.
DE387219
Corrected an issue that caused the connector object to hold service details when changing the direction of the queue from Inbound to Outbound in
MQ Native Queue Properties
dialog.
DE388060
Corrected an issue where the
Check IP
check box, when not selected, in CA SSO Configuration Properties throws an error when trying to connect to an SSO server.
DE388478
Corrected an issue where if a JSON payload contained special characters (-/:;()$&@“.,?!’[]{}#%^* =_|~<>€•.,?!), t
hen the
Evaluate JSON Path Expression V2
assertion converted the characters to unicode. This issue has been resolved. The literal characters are returned as expected. Note that this issue is not fixed for the deprecated
Evaluate JSON Path Expression
assertion.
DE389165
Corrected an issue that prevented 70 or more concurrent connections to the Gateway.
DE392310
Corrected an issue in the Gateway Migration Utility that caused a private key to be mapped to more keys than intended.
DE394698
Corrected an issue where importing a certificate without extensions was causing NULL pointer exception.
DE396224
Corrected an issue that caused version mismatch while updating the service in RESTMAN calls.
US567571
Upgraded JDK version to 1.8.0_201.
Note:
For more information, see JDK Release Notes in Oracle documentation.
Issues Resolved in Version 9.4 CR2
The 9.4 CR2 cumulative release addresses the following issues.
Note:
The 9.4 CR2 release must be installed on a v9.4 Gateway.
Fixed Issue ID
Description
US567138
Telemetry configuration is now available for Product Licensing Agreement (PLA) customers.
US567674
JRE 8 is now included in the Gateway Policy Manager installation package for Linux.
DE384246
Corrected a performance issue caused by the HTTP(S) routing assertion with authorization headers. Introduced a cluster property, io.httpRequestAuthzHashAlg, to hash the authorization header so that subsequent requests from the same host, port, and with the same authorization header can reuse the outbound connection.
DE406412
To improve Gateway security, the following algorithms are now supported for SFTP outbound in the Route via SSH2 assertion:
  • ecdh-sha2-nistp521
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp256
DE407818
Introduced a new audit-related cluster property, syslog.dateFormat
,
that allows format modification of the syslog date-time format.
DE409152
Corrected an internal Gateway exception error resulting from certificate validation against an OCSP server by adding extra null checks.
DE380123
Corrected an issue that was causing the Encode/Decode Data assertion to fail when encoding large files.
DE394505
Corrected an issue where Gateway was not able to verify an XML Element.
DE401386
Corrected an issue to stop Policy Manager from overwriting policies when one policy is not saved immediately and another policy is accessed.
DE402975
DE413457
Corrected an issue where Query LDAP assertion failed if the
Maximum results
field was set to a value more than 9999.
DE403542
Introduced a new Audit Archiver cluster property, auditArchiver.db.defaultDiskThreshold, that allows you to set the default disk space threshold for Mysql DB data file.
DE409346
Corrected an issue in Query LDAP assertion to ensure that CacheEntry is created based on both DN and LDAP Search Filter.
US587671
Upgraded JDK version to 1.8.0_211.
Note:
For more information, see JDK Release Notes in Oracle documentation.
Issues Resolved in Version 9.4 CR3
The 9.4 CR3 cumulative release addresses the following issues.
Note:
The 9.4 CR3 release must be installed on a v9.4 Gateway.
AdoptOpenJDK Support
Beginning with version 9.4 CR3, the Java Development Kit (JDK) for the appliance form factor of Gateway will be switched from Oracle to AdoptOpenJDK (8u222-b10). Before upgrading your Gateway, please save a copy of your java.security file in case you have customized it.
For software form factor Gateway users, we also recommend using AdoptOpenJDK 8u222+ beginning with 9.4 CR3.
As a result of the switch-over, the Policy Manager browser client will no longer be supported from this version and onward.
For an FAQ on AdoptOpenJDK and its impact on the API Gateway, see the announcement on the Communities blog.
Solaris 10 Users
There is a known issue with Solaris 10 and AdoptOpenJDK as documented in the Oracle bug report here. Customers running the software form factor of the Gateway with Solaris 10 are required to apply the 150636-01 Solaris patch as stated in the bug report prior to installing Version 9.4 CR3 with the recommended AdoptOpenJDK 8u222-b10.
Fixed Issue ID
Description
DE212225
An issue causing the syslog server to be unreachable which resulted in the Gateway to hang is now fixed.
DE395766
Corrected an issue with the removeStaleNodes schedule task that caused a database deadlock.
DE401078
Added a 'isAuthHeader' parameter to the Generate OAuth Signature Base String assertion to prevent the generation of an invalid signature base string for URL query parameters.
DE410059
Corrected an issue with the
Scan Using ICAP-Enabled Antivirus
assertion as it was not falsifying when receiving HTTP 500 response.
DE413539
Introduced an argument, in the Policy Manager .ini file so users can increase the logs' shutdown time in case they are not able to view all the logs.
DE416831
Corrected an issue when a Certificate is trusted and enabled for SSL Outbound, it does not check
io.httpsHostVerify
cluster property.
DE418116
Corrected an issue with the AMQP 1.0 Broker that prevented a connection to a JMS destination (queue), causing the Gateway to be unable to process JMS messages. Documentation for AMQP 1.0 Broker configuration also updated accordingly.
DE419099
Corrected a MySQL deadlock error when upgrading Gateway 8.4 to 9.4 by modifying a
staleNodeCleanUp
task.
US602713
AdoptOpenJDK will be the officially supported JDK for the Gateway as CA Technologies shifts towards supporting open-source implementations of Java. For an FAQ on this switch over, see the announcement on the Communities blog.
Issues Resolved in Version 9.4 CR4
The 9.4 CR4 cumulative release addresses the following issues.
Note
: The 9.4 CR4 release must be installed on a v9.4 Gateway.
AdoptOpenJDK 8u232 Support
API Gateway version 9.4 CR4 supports AdoptOpenJDK (8u232-b09) for the appliance form factor. Before upgrading your Gateway, please save a copy of your java.security file in case you have customized it.
For software form factor Gateway users, we also recommend using AdoptOpenJDK 8u232+.
Fixed Issue ID
Description
DE406084
Resolved an issue in Protect Against SQL Attack Assertion to address a security issue.
DE421487
DE407947
Resolved an issue to support critical headers when passed in Encode/Decode JSON Web Token assertions.
DE410134
Resolved an issue that caused a 'host key signature is invalid' error when attempting to connect to the Gateway via SFTP.
DE425025
Resolved an issue that caused Hazelcast WrongTargetException errors to be logged. Hazelcast 3.7 or greater contains the fix. Gateway 9.4 installs with Hazlecast 3.10.2.
DE421593
Resolved an issue that caused Encode JSON Web Token assertion to fail as empty payloads are not allowed.
DE426714
Resolved a 'division by zero' calculation issue that caused the  Apply Rate Limit Assertion to fail.
DE429396
Fixed an issue that caused the Gateway to not engage syslog failover (i.e., Gateway attempts to reconnect to syslog #1 indefinitely), preventing the complete collection of logging information. This issue affected the OVA form factor of Gateway version 9.4
DE430722
Modified implementation of the Bouncy Castle library so that the ${prefix.certificatePolicies} context variable is able to return values. Previously, some customers reported that the Gateway was unable to read certificate policies from a client certificate.
The issue first appeared in version 9.4 CR2 of the Gateway.
DE432790
Corrected an issue where users were not able to set the format field under the MQRFH header in MQ message. When
MQRFH
and
MQRFH2
are selected as additional headers, you can define the format of data that is following this header by adding the property,
mqnative.MQRFH.formatField
, using the Manage Transport Properties/Headers Assertion.
DE436403
Fixed a Java-related issue that caused the Gateway to show the incorrect time/time zone for a customer in Brazil.
DE440811
As part of Google’s Chrome 80 browser release, Chrome treats cookies that have not declared SameSite value as SameSite=Lax cookies. These changes cause the default behaviour of the Chrome 80 version of the browser to behave differently than versions prior to version 80. This change affects your browser-based applications that make calls to APIs proxied through the Gateway.
Earlier to 9.4 CR4, Gateway used to parse SameSite as a separate cookie, and not as an attribute of a cookie when you use any of the following assertions:
  • Manage Cookie Assertion
  • Manage Transport Properties/Headers Assertion
  • Route via HTTP(S) Assertion
With 9.4 CR4, cookie manipulation via Gateway supports SameSite attribute. As part of the fix, we introduced a new property,
SameSite
, which you can use to select the SameSite cookie attribute value in Manage Cookie Assertion.
DE443018
Fixed an issue that prevented a Gateway patch from flagging 'EXEC sp_SelectAllCustomers' in the Protect Against SQL Attack assertion for Gateway version 9.4.
DE444079
Resolved an issue in the Restrict Access to IP Address Range assertion, which when looped for multiple ranges caused state interference and unexpected behavior.
Issues Resolved in Version 9.4 CR5
The following issues are fixed in Layer7 API Gateway 9.4 CR5:
AdoptOpenJDK 8u252 Support
API Gateway version 9.4 CR5 supports AdoptOpenJDK (8u252-b09) for the appliance form factor. Before upgrading your Gateway, please save a copy of your java.security file in case you have customized it.
For software form factor Gateway users, we also recommend using AdoptOpenJDK 8u252+.
Fixed Issue ID
Description
DE451118
Implemented a new
serviceUsage.updateInterval
cluster property to give users the ability to disable updates to the service_usage table to resolve a Gateway SSG database performance issue. See Service Cluster Properties to learn more.
DE452738
Resolved a SAML token validating issue. Introduced the following SAML Cluster Properties:
  • samlAssertion.validate.notBeforeOffsetDuration
  • samlAssertion.validate.notOnOrAfterOffsetDuration
DE448192
Resolved a thread pool issue in the Route via MQ Native assertion where the MQ threads were not timing out after a time interval. Introduced a new field,
MQ PUT Timeout
, in the Target tab of the MQ Native Routing properties dialog.
DE454594
Enhanced the
Name
field in the Stored Password properties to accept
$
and
@
characters.
DE459849
Resolved an issue so that Gateway can log messages larger than 10KB by introducing a cluster property, audit.log.maxFormattedMessageSize.
DE459135
Resolved an issue where CA SSO Agent fails to re-establish the connectivity to the SSO policy server. Introduced a new cluster property, siteminder.managementTimePeriod, to configure the time period to reinitialize the CA SSO agent.
DE453796
Resolved an issue that caused Encode JSON Web Token assertion to fail as empty payloads are not allowed. Introduced a checkbox, , to enable the assertion to accept empty payloads.
DE448183
Resolved an issue to avoid downtime during the upgrade of Precision API Monitoring Solution Kit.
DE461160
Resolved a stack trace issue that occurs when the Policy Manager is trying to connect to an LDAP identity provider.