What's new in Version 10.0.5.3
This page details the enhancements in IBM® API Connect Version 10.0.5.3 since the previous release.
- From API Connect 10.0.5.3, the Developer Portal, which is built on the open source Drupal content management system, will be upgraded from Drupal 9 to Drupal 10. This upgrade also requires PHP 8.1. The upgrade tooling will update your Developer Portal sites, however, if you have any custom modules or themes, it is your responsibility to ensure their compatibility with Drupal 10 and PHP 8.1 before the upgrade. For more information about the Drupal 10 upgrade and how to prepare for it, see Guidelines on upgrading your Developer Portal from Drupal 9 to Drupal 10.
- Sender details for email notifications for
consumer:app-suspended
andconsumer:app-reinstated
are updated to be consistent with the notifications in the consumer space. See What's new for API product managers for more details.
What's new for Developers
- Added APIs to manipulate attachments in a message object
- The message object provides APIs and properties to manipulate message attachments. For more information, see Manipulating attachments in a message object.
- Added the
JSON
custom scalar type for GraphQL APIs - You can use the
JSON
custom scalar type in GraphQL APIs to specify JSON payloads. For more information, see GraphQL custom schema directives and scalar types. - Added the ability to specify strict UTF-8 encoding for JSON documents
- When you configure a Parse policy, you can specify whether to enforce strict UTF-8 encoding throughout the entire JSON document. For more information, see Parse.
- Client credentials are shown in response to the
apps:create
command - If you're using the toolkit CLI to create consumer
applications, the
apic apps:create
command now returns the client credentials for the application. For example, running the following command:
with the following payload:apic apps:create -s my_mgt_endpoint -o my_org -c my_catalog --consumer-org my_consumer-org tests/fixtures/refs/testapp.json
returns the following response:{"title":"Jessica's Store","name":"store","redirect_endpoints":[]}
For more information about how to run toolkit CLI commands, see API development and management commands.store [state: enabled] https://example.com/api/apps/e6a4d5f1-bec0-416b-b1b7-738cc854c5b5/463d84ea-e70a-4338-beed-f3c2fe2547c0/423e0d4d-ea7c-4512-a5f6-afbd60bc3920/dab4a161-fdcd-455a-b5e7-c8447cc52105 client_id:'12340747f8bed76c4807988603bffa1f' client_secret: 'f123d1098ace3aa02d35d3f0da65a9f3'
- Updates to Automated API behavior testing OpenAPI 3.0 support
- You can use OpenAPI 3.0 APIs in Automated API behavior testing. For more information, see Testing an API with Automated API behavior testing.
What's new for API product managers
- Sender details for email notifications for
consumer:app-suspended
andconsumer:app-reinstated
are updated to be consistent with the notifications in the consumer space - The sender address details for the following two email templates are now consistent with the
other email notifications:
consumer:app-suspended
consumer:app-reinstated
app-suspended
andapp-reinstated
notifications were always sent from the Cloud level sender name and address that's configured in the Cloud Manager. However, this configuration does not follow the established pattern for notifications, as documented in Configuring sender details for email notifications.These two templates are now sent from the sender address that's configured at the Catalog level, if provided, or the Provider Organization level, or, if neither of those sender details are provided, the Cloud Manager level, consistent with existing behavior for other templates.
- Specify the fields that are returned from analytics REST API and toolkit CLI event queries.
- You can specify the API event record fields that you want returned from REST API and toolkit CLI event queries. Use
the
--fields
argument with the toolkit CLI, and thefields
query parameter with the REST API, for example:/events?fields=bytes_received,bytes_sent
- Analytics discover view in context filtering
- While you're viewing the analytics API event data in the discover view, you can now quickly add and remove filters to update the event data displayed. For more information about filtering analytics UI data, see Filtering displayed data.
- Analytics dashboards enhanced with new charts
- Three new charts are added to the analytics dashboards.
- Usage Dashboard: Top APIs by request size.
- Usage Dashboard: Top APIs by response size.
- Monitoring Latency Dashboard: Top APIs by response time.
- New analytics dashboard: Gateway Operations
- A new analytics dashboard is provided, which shows the API usage and latency per gateway. For more information about the analytics dashboards, see Analytics dashboards.
- Ability to save and share analytics queries
- You can now save and share analytics queries created in the Cloud Manager and API Manager UIs. For more information about saving and sharing queries, see API Manager UI analytics view.
- Geographic IP data included in analytics API event data
- The API event data now includes geographic information of the client IP address that called the API, and of the gateway itself. The geoIP feature is disabled by default. To use this feature, see Including geoIP fields in analytics data.
What's new for Developer Portal site administrators
- Change to the behavior of the approval process for onboarding to the Developer Portal
- The way that the approval process works for onboarding to the Developer Portal has
changed. In earlier releases, if Self service onboarding approval is enabled,
and a user was approved to access a Developer Portal with
a specific consumer organization, that user would not need to go through the approval process again
if they created more consumer organizations for the same Developer Portal.
Now, Self service onboarding approval is honored whenever a consumer organization is created. So, even if a user is approved to access a Developer Portal with one consumer organization, if they then try to create another consumer organization in the same Developer Portal, their request will still go through the approval process.
For more information, see Creating and configuring Catalogs.
- Developer Portal upgrade to Drupal 10
-
From API Connect 10.0.5.3, the Developer Portal, which is built on the open source Drupal content management system, will be upgraded from Drupal 9 to Drupal 10. This upgrade also requires PHP 8.1. As a result, all existing Developer Portal sites will be upgraded to Drupal 10, and all new sites will be based on Drupal 10 as well. Ensure that all modules and themes used on your Developer Portal site are compatible with Drupal 10 and PHP 8.1. While core modules and themes will be automatically made compatible as part of the upgrade, any custom modules or themes, whether created in-house or contributed by the Drupal community, need to be verified for compatibility before the upgrade.
- Dynamic translations for API Connect entities
- The latest Developer Portal
upgrade contains a dynamic translations feature for the API Connect entities,
including Blocks, Nodes, and Menu
Links. Now, when you update the existing translations for your API Connect entities, the
changes are automatically reflected across your sites without the need of re-translation. The
dynamic translations feature also includes adding new language codes and their accompanying
translations.
Note that the translation changes may take 5-10 minutes to appear on the site as the cache recycles.
What's new for DevOps
- (Red Hat OpenShift) Change from cloudctl to ibm-pak for installing and upgrading air-gapped deployments
- Previous versions of API Connect used IBM Cloud Pak CLI (cloudctl) as the mirroring tool for
installing and upgrading in air-gapped environments. API Connect 10.0.5.3 uses IBM Catalog
Management Plug-in for IBM Cloud Paks (ibm-pak) instead. The ibm-pak plug-in extends the Red Hat
OpenShift CLI (oc command) capability and streamlines the process of delivering installation images
to the IBM Cloud Pak in an air-gapped environment.
For information on installing and upgrading API Connect on Red Hat OpenShift in an air-gapped environment, see the air-gap installation instructions and the air-gap upgrade instructions.
- Daily Management subsystem local backups are taken by default
- The Management subsystem now takes local backups by default. On new installations or upgrades
where the user does not specify backup settings, management backups are taken daily at 01:00 UTC,
and retained for 14 days. Local backups are set by default to prevent the situation where no backup
settings cause continuous accumulation of WAL archives to local PVC.
Local backups are stored on the management subsystem, and so cannot be used for disaster recovery. Configure remote S3 or SFTP backups for disaster recovery.
For more information about management backups, see: - (Kubernetes, Red Hat OpenShift) Improved platform health status monitoring using Kubernetes events
- A new feature is enabled in the IBM
APIConnect
operator on Kubernetes and Red Hat OpenShift to generate CR events whenever there is a change in the top-level CR (APIConnectCluster) or subsystem CRs (ManagementCluster, GatewayCluster, AnalyticsCluster, PortalCluster
) status conditions. Along with CR status conditions, you can monitor these events by using any third-party alerting system.For more information, see Monitoring platform health using Kubernetes events or Monitoring platform health on Red Hat OpenShift using Kubernetes events.
- Red Hat OpenShift-based deployments now manage foundational services through the API Connect operands
- In previous releases of API Connect, a deployment on Red Hat OpenShift (including as a
capability in Cloud Pak for Integration) managed the use of IBM Cloud Pak foundational services
through dependencies that are enforced by OLM at the operator level. Beginning with API Connect
10.0.5.3, the dependency on foundational services is no longer managed at the operator level by OLM,
but is instead handled at the operand level by the API Connect operator. This change provides more
flexibility going forward by allowing the APIC operator to enforce the dependency only on the
operands that actually require it.
This change applies to new installations only. For more information, see the appropriate installation instructions for your Red Hat OpenShift environment.
- Configure analytics retention and rollover settings in the Cloud Manager UI
- In previous releases, the only way to modify the retention and rollover settings was by using the toolkit CLI. It is now possible to configure these settings in the Cloud Manager UI. For more information, see Configure data retention and index rollover time periods.
- New message column in management and top-level get CR output
- A new
MESSAGE
column is added to the output ofkubetl get <cr name>
for the management CR. TheMESSAGE
column provides additional information on the state of the management subsystem. For example,
On Cloud Pak for Integration, and on Red Hat OpenShift, if you installed API Connect with the top-level CR, the newkubectl get mgmt -n <namespace> NAME READY STATUS VERSION RECONCILED VERSION MESSAGE AGE management 17/17 Running 10.0.5.3 10.0.5.3-0 Management is ready 2d22h
MESSAGE
column is also shown for the top-level CR. For example,oc get apiconnectcluster -n <namespace> NAME READY STATUS VERSION RECONCILED VERSION MESSAGE AGE small 7/7 Ready 10.0.5.3 10.0.5.3-16 API Connect cluster is ready 2d5h
- Automatic verification and reporting of two data center disaster recovery management database replication
- In two data center disaster recovery deployments,
the management subsystem automatically monitors the replication status of the management databases,
and reports any failures in the management CR status output. For
example,
NAME READY STATUS VERSION RECONCILED VERSION MESSAGE AGE management 18/18 Warning 10.0.5.3-0 10.0.5.3-0 Management is ready. HA Status Warning - see HAStatus in CR for details 8m59s status: haStatus {sssssss "lastTransitionTime": "2023-03-31T19:47:08Z", "message": "Replication not working, install or upgrade in progress.", "reason": "na", "status": "True", "type": "Pending" }
- Gateway CR property
validateApimClient
renamed tomtlsValidateClient
- The
validateApimClient
property is renamed tomtlsValidateClient
to match what is used in the other subsystems.validateApimClient
is deprecated. When you upgrade to 10.0.5.3,validateApimClient
is automatically changed tomtlsValidateClient
in the gateway CR. - Use JWT instead of mTLS for some inter-subsystem communications
- Most of the network interactions between API Connect subsystems use mTLS.
The use of mTLS requires that any load-balancers that are located between subsystems are configured
for TLS pass-through. If you want to use TLS termination at your load-balancers instead of
pass-through on certain routes, you can disable mTLS and enable JWT security instead. For more
information, see Enable JWT security instead of mTLS.If you are upgrading from an earlier release, to enable this feature see the following topics:
- Non-OVA only: Use service (in-cluster) communication between subsystems, instead of external ingress/route based communication
- If your subsystems are installed in the same cluster, then Kubernetes services can be used for inter-subsystem communication, instead of the default ingress/route based communication that requires external exposure of HTTPS endpoints. For more information, see In-cluster service communication between subsystems.
- Non-OVA only: New analytics database deployment option: Dedicated storage
- Analytics now supports the OpenSearch dedicated storage type. Dedicated storage allows the management of the OpenSearch cluster, and the storage of analytics data to be separated into different pods. Using dedicated storage provides greater stability and allows some configuration changes to be made without downtime. Dedicated storage is available on three replica deployments only.
- New analytics dashboard: Gateway Operations
- A new analytics dashboard is provided, which shows the API usage and latency per gateway. For more information about the analytics dashboards, see Cloud Manager UI analytics view.
- New
customPlatformApiHostname
field available for Developer Portal restore - A new
customPlatformApiHostname
field is available to use when restoring the Developer Portal. The field allows you to provide a custom platform API hostname override for the Developer Portalrestore system
orrestore all
commands. If theAPI
hostname of your management subsystem platform has changed since taking the backup you are restoring, then update it to the new platform API hostname of the management subsystem by using this override. For more information about restoring the Developer Portal, see:
- New
field available for Developer Portal backup settingsportalBackupRecordDays
- The
portalBackupRecordDays
setting denotes the number of days that backup records (backups that exist on the remote backup server) are shown when you list your remote backups. It is defaulted to 30 days. For more information about Developer Portal, see Backing up and restoring the Developer Portal in a Kubernetes environment.
What's new for security practitioners
- The MD5 certificate fingerprint format is no longer displayed
- API Connect no longer calculates and displays the certificate fingerprint format of MD5. However, the SHA1 and SHA256 certificate fingerprint formats are displayed.
- Two additional claims added to the JWKS URL endpoint on the management platform REST API
- The following two claims are added to the JSON Web Key Set (JWKS) URL
(/api/cloud/oauth2/certs) endpoint that is hosted on the REST API of the
management platform.
iss
: describes the issuer of the token, which is IBM API Connect.purpose
: describes what kind of API Connect token the key can be used to verify.