New Features and Enhancements
This topic summarizes the new features and enhancements for the current release of the
Layer7 API Gateway. Also included is an Addendum section that describes some of these items in greater detail.
What's New in Gateway Version 10.0 CR4
Support for New JSON Web Signatures
For organizations interested in RFC7518 compliance, the Gateway now supports the following JWS algorithms:
What's New in Gateway Version 10.0 CR3
Support for TLS v1.3
For improved security, TLS 1.3 is now supported for HTTP, HTTP2, and WebSocket connections. New listen ports and WebSocket connections are now set to TLS 1.2 and TLS 1.3 by default upon creation. For new HTTP routing assertions, you can see
TLS 1.3option in the TLS drop-down lists.
TLS 1.3 option is not selected by default for existing listen ports. For existing routing assertions, if you have used
<Any>as the TLS version in the configuration properties and if backend supports TLS 1.3, the route call goes via TLS 1.3 after you upgrade to API Gateway 10 CR3.
Ensure that the following cipher suites are enabled when
TLS 1.3option is selected:
Note:TLS 1.3 is available on AdoptOpenJDK 8u275.
Support for AdoptOpenJDK
Beginning with version 10.0 CR3, the API Gateway now supports AdoptOpenJDK 8u275.
The JDK-8253368 issue leads to more frequent full TLS handshakes while routing to the backend. Layer7 introduced a new cluster-wide property to manage this JDK issue.
For more information, see the known issue here: JDK Regression Issue with AdoptOpenJDK 8u275 for TLS 1.2.
Support for CryptoComply for Java (CCJ) v3.0.1
Applies to FIPS users of the Gateway. The SafeLogic CryptoComply for Java (CCJ) library, a FIPS-compliant cryptographic engine providing FIPS functionality for the Gateway, has been upgraded to version 3.0.1.
Version 3.0.1 is a major release and enforces stricter security guidelines per FIPS 140-2. It now restricts a private key to one set of functions either to decrypt/encrypt OR sign SSL certificates but not both. To maintain backwards compatibility, this new system property has been set to 'true'. However it is recommended that this property is set to 'false' for increased security:
Importing a keystore in JKS format into the Gateway using Policy Manager is not permitted by the CCJ v3.0.1 library but has been enabled by the Gateway to preserve backwards compatibility. Going forward, if you typically import JKS formatted keystores, it is recommended that you convert them to PKCS #12 format prior to importing.
Please be aware that SafeLogic's refreshed architecture and design behind CCJ v3.0.1 may pose some performance tradeoffs on cryptographic operations to accommodate improved security features as required by FIPS.
Support for Kerberos Authentication when Token Compression is Enabled
Kerberos authentication in API Gateway is now supported when Kerberos Token compression is enabled. In Microsoft Active Directory 2012 and later versions, the resource SID compression is enabled by default, which enables Kerberos Token compression during Kerberos authentication.
Changes in Cipher Suite
The default recommended cipher suite list for Gateway has been modified. The list is reordered and it includes the following new cipher suites:
Policy Manager Support for MacOS X
Mac users can now install the Policy Manager on their MacOS X operating system as described here.
What's New in Gateway Version 10.0 CR2
Helm Charts now supported for Container Gateway Deployments to Kubernetes
Moving past its beta phase, Layer7 now has a refreshed Gateway Helm Chart as part of its reference implementation for a cloud-based Container Gateway in Kubernetes. See the following topics to learn more about this exciting change:
Enhancements for the
serviceUsage.updateIntervalwas first introduced for CR1, giving users the option to disable/enable the Gateway's ability to collect service metrics data and write them to the internal MySQL database, giving enterprises more flexibility in their solution architecture. For CR2, this property has been further enhanced to allow users to tune the frequency of service metrics by way of time units. See Service Cluster Properties to learn more.
Telemetry data now sent to Broadcom
PLA customers will now send telemetry data from their Gateways to Broadcom directly at
https://telemetry.broadcom.cominstead of Segment. See Telemetry Data to learn how to activate and learn more about the telemetry requirement as part of the Broadcom PLA agreement.
Data Collection Tool (DCT) now available for the Container form factor
The Data Collection Tool, previously available for the appliance form factor of the Gateway only, is now available for the container form factor to extract troubleshooting information from your system such as GC logs, network activity, thread dumping, and Java security. See Data Collection Tool for more information.
Support for AdoptOpenJDK
For version 10.0 CR2, API Gateway supports AdoptOpenJDK 8u265.