Changes in 10.0.1 LTS stream

IBM® DataPower® Gateway version 10.0.1 LTS stream introduces the following value changes, behavioral changes, and deprecations and removals.

Value changes

Since the previous long-term support (LTS) release, the following changes apply to values.

Table 1. Value changes in 10.0.1 LTS stream
Function area What changed Previous Current
IBM MQ queue manager Minimum value for cache timeout. 1 second 10.0.1.6 - 0 seconds
DataPower Gateway for Developers The delivery channel for the product. Docker Hub 10.0.1.5 - IBM Container Registry
Accessing data with the XML management or REST management interfaces The name of class object associated with stylesheet status. StylesheetCachingSummary 10.0.1.4 - StylesheetCachingSummary2
IMS Callout handler Support range for Input message timeout property 2018.4.1.15 - Supports values in the range 10 - 3600000. 10.0.1.3 - Supports values in the range -1 to 3600000.
-1 (0x00)
Use default values. The default for all RESUME_TPIPE is 2 seconds. The default for all RESUME_TPIPE nonsingle ACK is 0.25 seconds. The value of the TIMEOUT parameter in the IMS Connect TCPIP configuration statement for all others.
0 (0xFF)
Wait indefinitely. This setting is intended to support the auto option of the asynchronous output function.
Log targets Use of the syslog-ng type. The syslog-ng type was available. 10.0.1.0 - The syslog-ng type is no longer available. This type was announced as a deprecation in version 5.0. No automatic replacement is available. If this type is part of your configuration, edit the log target to use the syslog-tcp type.
DNS settings The default algorithm to balance load. This change applies to only new configurations, not existing configurations. The default algorithm is round-robin. 10.0.1.0 - The default algorithm is first alive.
Naming convention Names for objects and properties in the GUI and documentation. The commands are unchanged. This change does not impact existing or new configurations because the change is to only text. The GUI and documentation use SSL as part of the name. 10.0.1.0 - The GUI and documentation use TLS as part of the name.
Default type for the TLS profile in a configuration. The TLS proxy profile is deprecated and no longer the default profile type. The default profile type was always the SSL proxy profile. 10.0.1.0 - The default value is based on which connections are secured.
  • When a client, the default choice is the TLS client profile.
  • When a server, the default choice is the TLS server profile.
Accessing the GUI The default value for which GUI Blueprint Console 10.0.1.0 - WebGUI

Behavior changes

Since the previous long-term support (LTS) release, the following changes apply to behaviors.
Default SSH cipher suites and MAC algorithms
10.0.1.19 - Due to vulnerabilities, SSH profiles no longer have the following cipher suites and MAC algorithms as default values.
Cipher suites
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
  • rijndael-cbc@lysator.liu.se
MAC algorithms
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • umac-64-etm@openssh.com
  • umac-128-etm@openssh.com
Escape sequence and API paths
10.0.1.14 - Meta characters in API paths are automatically escaped. Therefore, remove the \ character from any API path that uses this character for an escape sequence.
Scope handling by third-party OAuth providers
10.0.1.14 - When token validation requirements are 200 OK + active:true, validation requirements are strictly checked against response scopes in the response body. When the OAuth security requirement defines scopes that are not a subset of response scopes, the request is denied unless advanced scope checks are enabled. For more information, see Configuring a third-party product as the OAuth provider.
Disable all hardware crypto features on a tenant.
10.0.1.11 - When you configured a tenant on an HSM enabled appliance, you no longer need to disable all hardware crypto features on a tenant.
Default cipher suites for new TLS client and server profiles.
10.0.1.11 - When you create a TLS client or server profile, the following suites are no longer defined as default cipher suites.
DHE_DSS_WITH_AES_256_GCM_SHA384
DHE_DSS_WITH_AES_256_CBC_SHA256
DHE_DSS_WITH_AES_256_CBC_SHA
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA
DHE_DSS_WITH_AES_128_GCM_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA
This change does not affect existing TLS client and server profiles. Review your TLS client and server profiles to evaluate whether your security requirements for TLS connections require these cipher suites. For more information, see the documentation for the following commands.
  • TLS client profile ciphers command.
  • TLS server profile ciphers command.
Transaction logging based on last log action in the assembly.
10.0.1.10 - At the end of the transaction, the API gateway updates the log according to the content type that is specified in the last log action in the assembly. Previously, when the assembly log action was configured to gather only, the API gateway used the content type that is specified in the API definition.
Processing IBM Sterling Transformation Extender maps with a binary transform action
10.0.1.9 - The support to process IBM Sterling Transformation Extender maps with a binary transform action are no longer included as a feature in the Integration Module or the B2B Module. If your existing configuration contains a processing rule that includes a binary transform action to process Transformation Extender maps, contact IBM Support. The support representative can grant you access to download and activate the new Transformation Extender Module. To validate whether you need this new module, export your complete configuration and search each domain configuration file for the tx-map command.
Warning message displayed when a gateway-peering instance uses the system default.
10.0.1.9 - Any gateway-peering instance that does not use an explicit password raises a warning message in the DataPower GUI. By default, each gateway-peering instance uses the system default for the password alias. The use of the system default is classified as a security vulnerability (CVE-2022-31776). The password alias property was added in 10.0.1.3.
Subscriptions and processing for security requirements
10.0.1.6sr1 - Security requirement processing checks whether an API is valid for a plan. When not registered, returns 403 Forbidden with details about the API not being registered to a plan. Previously, returned 200 OK.
Changed client_id processing for security requirements
10.0.1.6 - Security requirement processing checks for the client_id in the defined location only, excluding the request body. The locations that are checked during processing can be header or query. This change is to comply with RFC 6749 and to protect against threats where an attacker attempts to glean ID validity and API security requirements by passing a client_id in multiple locations.
Installing and managing connection details for tenants
10.0.1.5 - On physical appliances, you can install and manage connection details for tenants in either graphical interface. The Blueprint Console is deprecated.
TLS proxy profile (deprecated) and supported algorithm
10.0.1.5 - If a service uses the deprecated TLS proxy profile to secure connections, the following crypto changes apply.
  • Disallow ECDHE ciphers from the TLS proxy profile.
  • Disallow PSS signing algorithms from the TLS proxy profile.
These changes inadvertently became invisibly available in 10.0.0. In general, these changes were visible only on 8436-53X HSM appliances.
Changed client_id processing for security requirements
10.0.1.4 - Security requirement processing checks for the client_id in all locations, including the request body. When a client_id is found in more than one location, the request is rejected. The locations that are checked during processing are header, query, and request body. This change is to comply with RFC 6749 and to protect against threats where an attacker attempts to glean ID validity and API security requirements by passing a client_id in multiple locations.
For SFTP get operations, the maximum read size
10.0.1.4 - When files are retrieved over the SFTP protocol, the system-default, maximum read size changed to 65536 bytes. Previous, the maximum read size was from 32768 bytes.
Added response header when CORS enabled
10.0.1.4 - When CORS is enabled, the response that is sent to the client includes a Vary: Origin header.
Removed dependency on API security token manager for third-party OAuth provider
10.0.1.4 - When you define OAuth provider settings and the provider type is third party, you are no longer need to define the API security token manager. When you do not define the API security token manager, third-party tokens are always cached. For more information, see OAuth provider caches.
Changed token-validation requirements for third-party OAuth providers to accept
10.0.1.4 - When the third-party provider response indicates whether the access token is valid, OAuth always accepts this value independent of the setting of the validation mode. Previously when the validation mode is set to connected and the access token is expired, processing returned an HTTP 200 status code. In current processing, returns the HTTP 401 status code.
Augmented details retrieved for API probe capture settings
10.0.1.4 - When you use the REST GetDetailsAPIProbeCaptureSetting action, the response includes the following fields.
"Interval": seconds,
"RequireDebugHeader": true | false,
"SendTIDInResponseHeader": true | false, 
"EncryptionAlgorithm": "algorithm",
"EncryptionCertificate": "certificate",
"LogLevel": "payload" | "debug",
"FilterByAPI": "API",
"FilterByCatalog": "catalog",
"FilterByIP": "address", 
"FilterByPath": "path",
"FilterByClientID": "clientID"

The EncryptionAlgorithm, FilterByAPI, FilterByCatalog, FilterByIP, FilterByPath, and FilterByClientID fields are included only when they contain values.

var://service/tls-info variable
10.0.1.3 - Removed information about the session ID from the output of the var://service/tls-info variable.
X-Global-Transaction-ID header
10.0.1.3 - Added the X-Global-Transaction-ID header to requests sent to the following endpoints during OAuth processing with an API gateway.
  • External token management endpoint
  • Introspection endpoint for a third-party provider
  • Metadata endpoint
Assembly log action
10.0.1.1 - The send operation for an assembly log action adds the capture data to the analytics queue for the next offload of analytics data. You cannot immediately send the captured data to the analytics endpoint.
API analytics offload
10.0.1.0 - API gateway analytics offload occurs when either of the following conditions is met.
  • 10% of the value set for max records to buffer is reached.
  • The offload interval elapsed.
Search in GUI and documentation for SSL objects
10.0.1.0 - Renamed SSL object to be TLS objects.
  • In the GUI, search against TLS. Previously you searched against SSL.
  • In the documentation, search against TLS. Previously you searched against SSL.
var://service/system/status variable
10.0.1.0 - You cannot retrieve the data for all status providers. The purpose of the var://service/system/status/ variable is to retrieve data for a specific status provider by its StatusEnum type. When you attempt to retrieve data for all status providers with this variable, the response is a syntax error.