Changes in 10.0.1 LTS stream
IBM® DataPower® Gateway version 10.0.1 LTS stream introduces the following value changes, behavioral changes, and deprecations and removals.
Value changes
Since the previous long-term support (LTS) release, the following changes apply to values.
Function area | What changed | Previous | Current |
---|---|---|---|
IBM MQ queue manager | Minimum value for cache timeout. | 1 second | 10.0.1.6 - 0 seconds |
DataPower Gateway for Developers | The delivery channel for the product. | Docker Hub | 10.0.1.5 - IBM Container Registry |
Accessing data with the XML management or REST management interfaces | The name of class object associated with stylesheet status. | StylesheetCachingSummary |
10.0.1.4 - StylesheetCachingSummary2 |
IMS Callout handler | Support range for Input message timeout property | 2018.4.1.15 - Supports values in the range 10 - 3600000. | 10.0.1.3 - Supports values in the range -1 to 3600000.
|
Log targets | Use of the syslog-ng type. |
The syslog-ng type was available. |
10.0.1.0 - The syslog-ng type is no longer available. This
type was announced as a deprecation in version 5.0. No automatic replacement is available. If this
type is part of your configuration, edit the log target to use the syslog-tcp
type. |
DNS settings | The default algorithm to balance load. This change applies to only new configurations, not existing configurations. | The default algorithm is round-robin. | 10.0.1.0 - The default algorithm is first alive. |
Naming convention | Names for objects and properties in the GUI and documentation. The commands are unchanged. This change does not impact existing or new configurations because the change is to only text. | The GUI and documentation use SSL as part of the name. | 10.0.1.0 - The GUI and documentation use TLS as part of the name. |
Default type for the TLS profile in a configuration. | The TLS proxy profile is deprecated and no longer the default profile type. | The default profile type was always the SSL proxy profile. | 10.0.1.0 - The default value is based on which connections are secured.
|
Accessing the GUI | The default value for which GUI | Blueprint Console | 10.0.1.0 - WebGUI |
Behavior changes
Since the previous long-term support (LTS) release, the following changes apply to behaviors.
- Default SSH cipher suites and MAC algorithms
- 10.0.1.19 - Due to vulnerabilities, SSH profiles no longer have the following cipher suites and
MAC algorithms as default values.
- Cipher suites
-
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com
rijndael-cbc@lysator.liu.se
- MAC algorithms
-
hmac-sha1-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
- Escape sequence and API paths
- 10.0.1.14 - Meta characters in API paths are automatically escaped. Therefore, remove the
\
character from any API path that uses this character for an escape sequence. - Scope handling by third-party OAuth providers
- 10.0.1.14 - When token validation requirements are
200 OK + active:true
, validation requirements are strictly checked against response scopes in the response body. When the OAuth security requirement defines scopes that are not a subset of response scopes, the request is denied unless advanced scope checks are enabled. For more information, see Configuring a third-party product as the OAuth provider. - Disable all hardware crypto features on a tenant.
- 10.0.1.11 - When you configured a tenant on an HSM enabled appliance, you no longer need to disable all hardware crypto features on a tenant.
- Default cipher suites for new TLS client and server profiles.
- 10.0.1.11 - When you create a TLS client or server profile, the following suites are no longer
defined as default cipher suites.
DHE_DSS_WITH_AES_256_GCM_SHA384 DHE_DSS_WITH_AES_256_CBC_SHA256 DHE_DSS_WITH_AES_256_CBC_SHA RSA_WITH_AES_256_GCM_SHA384 RSA_WITH_AES_256_CBC_SHA256 RSA_WITH_AES_256_CBC_SHA DHE_DSS_WITH_AES_128_GCM_SHA256 DHE_DSS_WITH_AES_128_CBC_SHA256 DHE_DSS_WITH_AES_128_CBC_SHA RSA_WITH_AES_128_GCM_SHA256 RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_128_CBC_SHA
- Transaction logging based on last log action in the assembly.
- 10.0.1.10 - At the end of the transaction, the API gateway updates the log according to the content type that is specified in the last log action in the assembly. Previously, when the assembly log action was configured to gather only, the API gateway used the content type that is specified in the API definition.
- Processing IBM Sterling Transformation Extender maps with a binary transform action
- 10.0.1.9 - The support to process IBM Sterling Transformation Extender maps with a binary transform action are no longer included as a feature in the Integration Module or the B2B Module. If your existing configuration contains a processing rule that includes a binary transform action to process Transformation Extender maps, contact IBM Support. The support representative can grant you access to download and activate the new Transformation Extender Module. To validate whether you need this new module, export your complete configuration and search each domain configuration file for the tx-map command.
- Warning message displayed when a gateway-peering instance uses the system default.
- 10.0.1.9 - Any gateway-peering instance that does not use an explicit password raises a warning message in the DataPower GUI. By default, each gateway-peering instance uses the system default for the password alias. The use of the system default is classified as a security vulnerability (CVE-2022-31776). The password alias property was added in 10.0.1.3.
- Subscriptions and processing for security requirements
- 10.0.1.6sr1 - Security requirement processing checks whether an API is valid for a plan. When
not registered, returns
403 Forbidden
with details about the API not being registered to a plan. Previously, returned200 OK
. - Changed
client_id
processing for security requirements - 10.0.1.6 - Security requirement processing checks for the
client_id
in the defined location only, excluding the request body. The locations that are checked during processing can be header or query. This change is to comply with RFC 6749 and to protect against threats where an attacker attempts to glean ID validity and API security requirements by passing aclient_id
in multiple locations. - Installing and managing connection details for tenants
- 10.0.1.5 - On physical appliances, you can install and manage connection details for tenants in either graphical interface. The Blueprint Console is deprecated.
- TLS proxy profile (deprecated) and supported algorithm
- 10.0.1.5 - If a service uses the deprecated TLS proxy profile to secure connections, the
following crypto changes apply.
- Disallow ECDHE ciphers from the TLS proxy profile.
- Disallow PSS signing algorithms from the TLS proxy profile.
- Changed
client_id
processing for security requirements - 10.0.1.4 - Security requirement processing checks for the
client_id
in all locations, including the request body. When aclient_id
is found in more than one location, the request is rejected. The locations that are checked during processing are header, query, and request body. This change is to comply with RFC 6749 and to protect against threats where an attacker attempts to glean ID validity and API security requirements by passing aclient_id
in multiple locations. - For SFTP get operations, the maximum read size
- 10.0.1.4 - When files are retrieved over the SFTP protocol, the system-default, maximum read size changed to 65536 bytes. Previous, the maximum read size was from 32768 bytes.
- Added response header when CORS enabled
- 10.0.1.4 - When CORS is enabled, the response that is sent to the client includes a
Vary: Origin
header. - Removed dependency on API security token manager for third-party OAuth provider
- 10.0.1.4 - When you define OAuth provider settings and the provider type is third party, you are no longer need to define the API security token manager. When you do not define the API security token manager, third-party tokens are always cached. For more information, see OAuth provider caches.
- Changed token-validation requirements for third-party OAuth providers to accept
- 10.0.1.4 - When the third-party provider response indicates whether the access token is valid, OAuth always accepts this value independent of the setting of the validation mode. Previously when the validation mode is set to connected and the access token is expired, processing returned an HTTP 200 status code. In current processing, returns the HTTP 401 status code.
- Augmented details retrieved for API probe capture settings
- 10.0.1.4 - When you use the REST GetDetailsAPIProbeCaptureSetting action, the
response includes the following fields.
"Interval": seconds, "RequireDebugHeader": true | false, "SendTIDInResponseHeader": true | false, "EncryptionAlgorithm": "algorithm", "EncryptionCertificate": "certificate", "LogLevel": "payload" | "debug", "FilterByAPI": "API", "FilterByCatalog": "catalog", "FilterByIP": "address", "FilterByPath": "path", "FilterByClientID": "clientID"
The
EncryptionAlgorithm
,FilterByAPI
,FilterByCatalog
,FilterByIP
,FilterByPath
, andFilterByClientID
fields are included only when they contain values.
var://service/tls-info
variable- 10.0.1.3 - Removed information about the session ID from the output of the
var://service/tls-info
variable.
X-Global-Transaction-ID
header- 10.0.1.3 - Added the
X-Global-Transaction-ID
header to requests sent to the following endpoints during OAuth processing with an API gateway.- External token management endpoint
- Introspection endpoint for a third-party provider
- Metadata endpoint
- Assembly log action
- 10.0.1.1 - The send operation for an assembly log action adds the capture data to the analytics queue for the next offload of analytics data. You cannot immediately send the captured data to the analytics endpoint.
- API analytics offload
- 10.0.1.0 - API gateway analytics offload occurs when either of the following conditions is met.
- 10% of the value set for max records to buffer is reached.
- The offload interval elapsed.
- Search in GUI and documentation for SSL objects
- 10.0.1.0 - Renamed SSL object to be TLS objects.
- In the GUI, search against TLS. Previously you searched against SSL.
- In the documentation, search against TLS. Previously you searched against SSL.
var://service/system/status
variable- 10.0.1.0 - You cannot retrieve the data for all status providers. The purpose of the
var://service/system/status/
variable is to retrieve data for a specific status provider by itsStatusEnum
type. When you attempt to retrieve data for all status providers with this variable, the response is a syntax error.