What's new in Version 10.0.5.3

This page details the enhancements in IBM® API Connect Version 10.0.5.3 since the previous release.

Important: Note the following key changes in IBM API Connect Version 10.0.5.3:
  • From API Connect 10.0.5.3, the Developer Portal, which is built on the open source Drupal content management system, will be upgraded from Drupal 9 to Drupal 10. This upgrade also requires PHP 8.1. The upgrade tooling will update your Developer Portal sites, however, if you have any custom modules or themes, it is your responsibility to ensure their compatibility with Drupal 10 and PHP 8.1 before the upgrade. For more information about the Drupal 10 upgrade and how to prepare for it, see Guidelines on upgrading your Developer Portal from Drupal 9 to Drupal 10.
  • Sender details for email notifications for consumer:app-suspended and consumer:app-reinstated are updated to be consistent with the notifications in the consumer space. See What's new for API product managers for more details.

What's new for Developers

Added APIs to manipulate attachments in a message object
The message object provides APIs and properties to manipulate message attachments. For more information, see Manipulating attachments in a message object.

Added the JSON custom scalar type for GraphQL APIs
You can use the JSON custom scalar type in GraphQL APIs to specify JSON payloads. For more information, see GraphQL custom schema directives and scalar types.

Added the ability to specify strict UTF-8 encoding for JSON documents
When you configure a Parse policy, you can specify whether to enforce strict UTF-8 encoding throughout the entire JSON document. For more information, see Parse.

Client credentials are shown in response to the apps:create command
If you're using the toolkit CLI to create consumer applications, the apic apps:create command now returns the client credentials for the application. For example, running the following command:
apic apps:create -s my_mgt_endpoint -o my_org -c my_catalog --consumer-org my_consumer-org tests/fixtures/refs/testapp.json
with the following payload:
{"title":"Jessica's Store","name":"store","redirect_endpoints":[]}
returns the following response:
store    [state: enabled]   https://example.com/api/apps/e6a4d5f1-bec0-416b-b1b7-738cc854c5b5/463d84ea-e70a-4338-beed-f3c2fe2547c0/423e0d4d-ea7c-4512-a5f6-afbd60bc3920/dab4a161-fdcd-455a-b5e7-c8447cc52105   
client_id:'12340747f8bed76c4807988603bffa1f'    client_secret: 'f123d1098ace3aa02d35d3f0da65a9f3'
For more information about how to run toolkit CLI commands, see API development and management commands.

Updates to Automated API behavior testing OpenAPI 3.0 support
You can use OpenAPI 3.0 APIs in Automated API behavior testing. For more information, see Testing an API with Automated API behavior testing.

What's new for API product managers

Sender details for email notifications for consumer:app-suspended and consumer:app-reinstated are updated to be consistent with the notifications in the consumer space
The sender address details for the following two email templates are now consistent with the other email notifications:
  • consumer:app-suspended
  • consumer:app-reinstated
Previously, app-suspended and app-reinstated notifications were always sent from the Cloud level sender name and address that's configured in the Cloud Manager. However, this configuration does not follow the established pattern for notifications, as documented in Configuring sender details for email notifications.

These two templates are now sent from the sender address that's configured at the Catalog level, if provided, or the Provider Organization level, or, if neither of those sender details are provided, the Cloud Manager level, consistent with existing behavior for other templates.

Specify the fields that are returned from analytics REST API and toolkit CLI event queries.
You can specify the API event record fields that you want returned from REST API and toolkit CLI event queries. Use the --fields argument with the toolkit CLI, and the fields query parameter with the REST API, for example:
/events?fields=bytes_received,bytes_sent

Analytics discover view in context filtering
While you're viewing the analytics API event data in the discover view, you can now quickly add and remove filters to update the event data displayed. For more information about filtering analytics UI data, see Filtering displayed data.

Analytics dashboards enhanced with new charts
Three new charts are added to the analytics dashboards.
  • Usage Dashboard: Top APIs by request size.
  • Usage Dashboard: Top APIs by response size.
  • Monitoring Latency Dashboard: Top APIs by response time.

New analytics dashboard: Gateway Operations
A new analytics dashboard is provided, which shows the API usage and latency per gateway. For more information about the analytics dashboards, see Analytics dashboards.

Ability to save and share analytics queries
You can now save and share analytics queries created in the Cloud Manager and API Manager UIs. For more information about saving and sharing queries, see API Manager UI analytics view.
Geographic IP data included in analytics API event data
The API event data now includes geographic information of the client IP address that called the API, and of the gateway itself. The geoIP feature is disabled by default. To use this feature, see Including geoIP fields in analytics data.

What's new for Developer Portal site administrators

Change to the behavior of the approval process for onboarding to the Developer Portal
The way that the approval process works for onboarding to the Developer Portal has changed. In earlier releases, if Self service onboarding approval is enabled, and a user was approved to access a Developer Portal with a specific consumer organization, that user would not need to go through the approval process again if they created more consumer organizations for the same Developer Portal.

Now, Self service onboarding approval is honored whenever a consumer organization is created. So, even if a user is approved to access a Developer Portal with one consumer organization, if they then try to create another consumer organization in the same Developer Portal, their request will still go through the approval process.

For more information, see Creating and configuring Catalogs.

Developer Portal upgrade to Drupal 10

From API Connect 10.0.5.3, the Developer Portal, which is built on the open source Drupal content management system, will be upgraded from Drupal 9 to Drupal 10. This upgrade also requires PHP 8.1. As a result, all existing Developer Portal sites will be upgraded to Drupal 10, and all new sites will be based on Drupal 10 as well. Ensure that all modules and themes used on your Developer Portal site are compatible with Drupal 10 and PHP 8.1. While core modules and themes will be automatically made compatible as part of the upgrade, any custom modules or themes, whether created in-house or contributed by the Drupal community, need to be verified for compatibility before the upgrade.

For more information about the Drupal 10 upgrade, and how to ensure compatibility, see Guidelines on upgrading your Developer Portal from Drupal 9 to Drupal 10.

Dynamic translations for API Connect entities
The latest Developer Portal upgrade contains a dynamic translations feature for the API Connect entities, including Blocks, Nodes, and Menu Links. Now, when you update the existing translations for your API Connect entities, the changes are automatically reflected across your sites without the need of re-translation. The dynamic translations feature also includes adding new language codes and their accompanying translations.

Note that the translation changes may take 5-10 minutes to appear on the site as the cache recycles.

What's new for DevOps

(Red Hat OpenShift) Change from cloudctl to ibm-pak for installing and upgrading air-gapped deployments
Previous versions of API Connect used IBM Cloud Pak CLI (cloudctl) as the mirroring tool for installing and upgrading in air-gapped environments. API Connect 10.0.5.3 uses IBM Catalog Management Plug-in for IBM Cloud Paks (ibm-pak) instead. The ibm-pak plug-in extends the Red Hat OpenShift CLI (oc command) capability and streamlines the process of delivering installation images to the IBM Cloud Pak in an air-gapped environment.

For information on installing and upgrading API Connect on Red Hat OpenShift in an air-gapped environment, see the air-gap installation instructions and the air-gap upgrade instructions.

Daily Management subsystem local backups are taken by default
The Management subsystem now takes local backups by default. On new installations or upgrades where the user does not specify backup settings, management backups are taken daily at 01:00 UTC, and retained for 14 days. Local backups are set by default to prevent the situation where no backup settings cause continuous accumulation of WAL archives to local PVC.

Local backups are stored on the management subsystem, and so cannot be used for disaster recovery. Configure remote S3 or SFTP backups for disaster recovery.

For more information about management backups, see:

(Kubernetes, Red Hat OpenShift) Improved platform health status monitoring using Kubernetes events
A new feature is enabled in the IBM APIConnect operator on Kubernetes and Red Hat OpenShift to generate CR events whenever there is a change in the top-level CR (APIConnectCluster) or subsystem CRs (ManagementCluster, GatewayCluster, AnalyticsCluster, PortalCluster) status conditions. Along with CR status conditions, you can monitor these events by using any third-party alerting system.

For more information, see Monitoring platform health using Kubernetes events or Monitoring platform health on Red Hat OpenShift using Kubernetes events.

Red Hat OpenShift-based deployments now manage foundational services through the API Connect operands
In previous releases of API Connect, a deployment on Red Hat OpenShift (including as a capability in Cloud Pak for Integration) managed the use of IBM Cloud Pak foundational services through dependencies that are enforced by OLM at the operator level. Beginning with API Connect 10.0.5.3, the dependency on foundational services is no longer managed at the operator level by OLM, but is instead handled at the operand level by the API Connect operator. This change provides more flexibility going forward by allowing the APIC operator to enforce the dependency only on the operands that actually require it.

This change applies to new installations only. For more information, see the appropriate installation instructions for your Red Hat OpenShift environment.

Configure analytics retention and rollover settings in the Cloud Manager UI
In previous releases, the only way to modify the retention and rollover settings was by using the toolkit CLI. It is now possible to configure these settings in the Cloud Manager UI. For more information, see Configure data retention and index rollover time periods.

New message column in management and top-level get CR output
A new MESSAGE column is added to the output of kubetl get <cr name> for the management CR. The MESSAGE column provides additional information on the state of the management subsystem. For example,
kubectl get mgmt -n <namespace>

NAME         READY   STATUS    VERSION    RECONCILED VERSION   MESSAGE               AGE
management   17/17   Running   10.0.5.3   10.0.5.3-0           Management is ready   2d22h
On Cloud Pak for Integration, and on Red Hat OpenShift, if you installed API Connect with the top-level CR, the new MESSAGE column is also shown for the top-level CR. For example,
oc get apiconnectcluster -n <namespace>

NAME    READY   STATUS   VERSION    RECONCILED VERSION   MESSAGE                        AGE
small   7/7     Ready    10.0.5.3   10.0.5.3-16          API Connect cluster is ready   2d5h

Automatic verification and reporting of two data center disaster recovery management database replication
In two data center disaster recovery deployments, the management subsystem automatically monitors the replication status of the management databases, and reports any failures in the management CR status output. For example,
NAME         READY   STATUS    VERSION      RECONCILED VERSION   MESSAGE                                                                          AGE
management   18/18   Warning   10.0.5.3-0   10.0.5.3-0           Management is ready. HA Status Warning - see HAStatus in CR for details   8m59s

status:
  haStatus
  {sssssss
    "lastTransitionTime": "2023-03-31T19:47:08Z",
    "message": "Replication not working, install or upgrade in progress.",
    "reason": "na",
    "status": "True",
    "type": "Pending"
  }
Gateway CR property validateApimClient renamed to mtlsValidateClient
The validateApimClient property is renamed to mtlsValidateClient to match what is used in the other subsystems. validateApimClientis deprecated. When you upgrade to 10.0.5.3, validateApimClient is automatically changed to mtlsValidateClient in the gateway CR.

Use JWT instead of mTLS for some inter-subsystem communications
Most of the network interactions between API Connect subsystems use mTLS. The use of mTLS requires that any load-balancers that are located between subsystems are configured for TLS pass-through. If you want to use TLS termination at your load-balancers instead of pass-through on certain routes, you can disable mTLS and enable JWT security instead. For more information, see Enable JWT security instead of mTLS.

Non-OVA only: Use service (in-cluster) communication between subsystems, instead of external ingress/route based communication
If your subsystems are installed in the same cluster, then Kubernetes services can be used for inter-subsystem communication, instead of the default ingress/route based communication that requires external exposure of HTTPS endpoints. For more information, see In-cluster service communication between subsystems.

Non-OVA only: New analytics database deployment option: Dedicated storage
Analytics now supports the OpenSearch dedicated storage type. Dedicated storage allows the management of the OpenSearch cluster, and the storage of analytics data to be separated into different pods. Using dedicated storage provides greater stability and allows some configuration changes to be made without downtime. Dedicated storage is available on three replica deployments only.
New analytics dashboard: Gateway Operations
A new analytics dashboard is provided, which shows the API usage and latency per gateway. For more information about the analytics dashboards, see Cloud Manager UI analytics view.

New customPlatformApiHostname field available for Developer Portal restore
A new customPlatformApiHostname field is available to use when restoring the Developer Portal. The field allows you to provide a custom platform API hostname override for the Developer Portal restore system or restore all commands. If the API hostname of your management subsystem platform has changed since taking the backup you are restoring, then update it to the new platform API hostname of the management subsystem by using this override. For more information about restoring the Developer Portal, see:
New portalBackupRecordDays field available for Developer Portal backup settings
The portalBackupRecordDays setting denotes the number of days that backup records (backups that exist on the remote backup server) are shown when you list your remote backups. It is defaulted to 30 days. For more information about Developer Portal, see Backing up and restoring the Developer Portal in a Kubernetes environment.

What's new for security practitioners

The MD5 certificate fingerprint format is no longer displayed
API Connect no longer calculates and displays the certificate fingerprint format of MD5. However, the SHA1 and SHA256 certificate fingerprint formats are displayed.

Two additional claims added to the JWKS URL endpoint on the management platform REST API
The following two claims are added to the JSON Web Key Set (JWKS) URL (/api/cloud/oauth2/certs) endpoint that is hosted on the REST API of the management platform.
  • iss: describes the issuer of the token, which is IBM API Connect.
  • purpose: describes what kind of API Connect token the key can be used to verify.