What's new in the latest release (version 10.0.8.0)

Find out about the newest features and the latest updates in API Connect.

IBM® API Connect 10.0.8.0 is a Support Cycle-2 release, and is the follow-on release to the prior Continuous Delivery (CD) releases 10.0.7.0 and 10.0.6.0. Support Cycle-2 (SC-2) is the new name for Long Term Support (LTS), such as the 10.0.5.x and 10.0.1.x. releases.

Product files and release notes

  • Access the latest files from IBM Fix Central by searching for the API Connect product and your installed version. Full installation files for IBM API Connect can be downloaded from Passport Advantage.
  • For details on the specific APARs that are included in this release, and links to downloads, blogs, and conference notices, see the IBM API Connect 10.0.8.0 Support Announcement page.
  • For more details about support lifecycle policies at IBM, such as Support Cycle-2, see IBM Software Support Lifecycle Policies.

Upgrading from API Connect 10.0.5.x

If you're upgrading to 10.0.8.x from 10.0.5.x, you should also note the major updates that were delivered to API Connect in versions 10.0.6.0 and 10.0.7.0. For a list of the key changes, see Upgrading to 10.0.8.x from 10.0.5.x.

IBM API Connect 10.0.8.0 includes the following enhancements.

What's new for Developers

Support for OIDC discovery
API Connect now provides native support for OIDC discovery, which allows a client to query attributes of the provider itself. You can supply the provider's URL as the OpenIDConnect Discovery path while Configuring the OIDC parameters for a native OAuth provider.

The Automated API behavior testing application is now available from the API Manager home page
If your cloud administrator installed the Automated API behavior testing application, you can access it by clicking the Test tile on the API Manager home page. For information on using the test application, see Testing an API with Automated API behavior testing.

New API discovery capability
Now, you can quickly discover the APIs in your organization, and pull them automatically into your API Manager, by using GitHub, DataPower® API Gateway proxy, and OpenTelemetry collectors. For more information, see API discovery.

Governance service updates
The following updates to the governance service are now available:

LoopBack is no longer supported

Beginning with API Connect 10.0.8.0, LoopBack is no longer supported. LoopBack is not included with the toolkit, and is not discussed in this documentation.

Toolkit CLI documentation relocated

The toolkit CLI documentation is now published at https://ibm-apiconnect.github.io/clidocs, instead of in the reference section of this collection.

Importing AsyncAPI with Event Endpoint Management

You can now import an AsyncAPI that was exported from Event Endpoint Management. For more information, see Importing an AsyncAPI from Event Endpoint Management.

Creating AsyncAPI with Event Endpoint Management

You can now create AsyncAPI by using Event Endpoint Management. AsyncAPI managed in Event Endpoint Management is read only in API Connect. For more information, see Creating an AsyncAPI with Event Endpoint Management.

View the subscription task approval history

You can now view the complete history of subscription task approvals. For more information, see Approving product lifecycle and subscription requests.

Download event logs from the gateway service

You can now download event logs from the gateway service. For more information, see Reviewing processing status and downloading event logs for gateway.

Added OAuth authorization support for four grant types
Added OAuth authorization support for the following four grant types:
  • Access Code
  • Application
  • Implicit
  • Password
For more information, see Sending the API request.

What's new for API product managers

API Connect Backstage plug-in

The plug-in provides a centralized view of APIs and products across multiple API Connect clouds, organizations, and catalogs. It enables API teams to manage and monitor their API assets efficiently. For more information, see [Technology Preview] Using API Connect Backstage plug-in.

New Consumer Catalog for testing and subscribing to APIs
You can now use a Consumer Catalog for testing and subscribing to APIs. The Consumer Catalog is a non-customizable, self-service, web-based site for application developers to test and subscribe to the APIs that are published in your catalog. The site uses less resources when compared to the Developer Portal, and offers quick and basic credential access. The Consumer Catalog is ideal for smaller API catalogs and internal users, who are looking for a lightweight consumer experience with basic functionality. A customer can have either a Developer Portal or a Consumer Catalog to test and subscribe to the APIs that are published in your catalog.
For more information, see Consumer Catalog and Developer Portal considerations.
New graphical representation of API event latency
The API latency visualizer has a new horizontal bar that highlights where most of time is spent in the processing of an API call.

Analytics event_id generation

The auto-generated event_id for analytics API events is now generated based on a hashed version of the datetime, transaction_id, and client_id fields combined by using the SHA1 algorithm.

This change prevents the analytics subsystem from ingesting duplicated API events, which can be caused by gateway failure.

New gateway_type field in analytics API events
The API event records have a new field gateway_type that indicates the type of gateway and version that processed the API call. For example, apigw/10.5.3.0. API event record fields are listed in API event fields.

All gateway types except for the V5 compatible gateway (v5c), set the new gateway_type field when they generate API events.

New log_policy filter option to select API events by logging type
Filter the view of your API events by log policy. An example use case is when your analytics persistent storage is near its limit and you want to identify all APIs that are set to payload logging. Disabling payload logging on your APIs reduces persistent storage use.

New analytics chart that shows the distribution of API calls across catalogs

If the same API is published to multiple catalogs, the new chart shows how calls to that API are distributed across your catalogs.

Analytics consumer's user agent string parsed to provide more details about the user

To provide more information on who is calling your APIs, the consumer's http_user_agent string is parsed into individual fields in the API event record, such as user_agent.os_version. The full list of user_agent fields is documented in API event fields.

Analytics reports can be exported from the UI as PDF
The detailed reports in Cloud Manager and API Manager UIs can be exported to PDF.

Analytics dashboards updated
The following analytics dashboards are updated and the charts are redistributed across the updated dashboards to eliminate duplication:
  • New dashboards: Summary, Applications, Client information, Consumers.
  • Removed dashboard: Usage.
  • Renamed dashboards:
    • Monitoring Latency => Latency.
    • Monitoring Data => Data Transfer.
    • Monitoring Status => Status.

Analytics deprecated product report
The new report identifies which deprecated products are still being called. With this information, you can identify the consumers who are still using the deprecated APIs and encourage them to switch the new APIs.

Analytics reports available at space scope

All analytics reports are now available at the space scope, in addition to the existing cloud, provider organization, and catalog scopes.

Links to live analytics data from analytics reports
New Jump to live data button in the detailed analytics reports. Click Jump to live data to switch to the Discover view and see the current live data at the scope of the report.
Bookmark and share links to specific analytics pages, reports, and dashboards

You can bookmark and share analytics pages, reports, and dashboard views that include your filters.

Analytics CLI bucket_interval query parameter
The analytics CLI dashboards query has a new query parameter: bucket_interval. The bucket_interval parameter allows you to specify the interval between data points. For example, if you are querying for analytics data for the last week (specified with the --timeframe parameter), and you want 4 data points per day, then set bucket_interval to 6 hours (6h).

The CLI apic dashboards operations are documented here: https://ibm-apiconnect.github.io/clidocs/docs/v1008/analytics/apic_dashboards

Analytics GeoIP is enabled by default
The analytics ingestion.geoIPEnabled property is set to true by default.

When ingestion.geoIPEnabled is set to true, geographical information that is related to the callers IP address is included in API event records.

New links to analytics data from API Manager UI
The Manage Catalog and Manage Space views now have links to the analytics data and reports.

Consumer organization reports include a table of applications that are owned by the consumer

The detailed reports for consumer organizations now include a table that shows the applications that are in the consumer organization, and how many API calls each application made. Clicking the application name in this table takes you to the detailed report for the application. The application reports also include a link to the owning consumer organization report.

Analytics Logstash gelf output plug-in removed.

The output plug-in https://www.elastic.co/guide/en/logstash/current/plugins-outputs-gelf.html is removed from the analytics subsystem.

What's new for API consumers

New Consumer Catalog for testing and subscribing to APIs
API consumers can now use a Consumer Catalog for testing and subscribing to APIs. The Consumer Catalog is a non-customizable, self-service, web-based site for application developers to test and subscribe to APIs. The site uses less resources when compared to the Developer Portal, and offers quick and basic credential access. The Consumer Catalog is ideal for smaller API catalogs and internal users, who are looking for a lightweight consumer experience with basic functionality. You can have either a Developer Portal or a Consumer Catalog to test and subscribe to the APIs that are published in a catalog.
For more information, see Consumer Catalog and Developer Portal considerations.

What's new for Developer Portal site administrators

Updates to the custom-module and custom-theme Developer Portal commands
The custom-module:create-import and custom-theme:create-import commands now include a --wait flag to give you more control over the command completion time. Previously, the cache rebuild was automatically included as part of the task. Now, if you want to include the cache rebuild as part of the task, you must include the --wait flag. If you run the commands without the --wait flag, the cache is rebuilt in the background after the task is complete. For more information, see Using the custom-module commands and Using the custom-theme commands.

New Developer Portal maintenance commands
The following maintenance commands can be used to manage the maintenance operations on your Developer Portal:
  • apic maintenance:disable - Disable your maintenance operations.
  • apic maintenance:enable - Enable your maintenance operations.
  • apic maintenance:rebuild_node_access - Rebuild the node access table for your maintenance operations.
  • apic maintenance:search_api_index_rebuild - Rebuild and re-index the search API index of your maintenance operations.
  • apic maintenance:search_api_index_status - Print the search API index of your maintenance operations.
  • apic maintenance:status - Get the current mode of your maintenance operations.

For more information, see Using the maintenance commands.

New Developer Portal memcache commands
The following memcache commands can be used to manage the default caching store operations on your Developer Portal:
  • apic memcache:disable - Disable your default caching store operations and set Drupal to use database as its cache.
  • apic memcache:enable - Enable your default caching store operations and set Drupal to use RAM as its cache.
  • apic memcache:get - Get the status of your memcache enabled operations.

For more information, see Using the memcache commands.

New Developer Portal role commands
The following role commands can be used to complete some Drupal role management tasks on your Developer Portal:
  • apic role:create - Create a new user role.
  • apic role:delete - Delete an unwanted user role.
  • apic role:add-permission - Add one or more permissions to a user role.
  • apic role:remove-permission - Remove one or more permissions from a user role.
  • apic role:get - Get the details of a specific user role as well as the permissions available.
  • apic role:list - List the roles based on a specific role or permission.

For more information, see Using the role commands.

New Developer Portal sites command
You can now use a sites:reset-upgrade-attempts command to reset the upgrade attempt counter within the Developer Portal, so that failed upgrades can be retried. For more information, see Using the sites commands.

New Developer Portal queue commands
Use the queue commands to list the queued and locked platform tasks on your Developer Portal site. For more information, see Using the queue commands.

New Developer Portal user commands
The following user commands can be used to complete some Drupal user management tasks on your Developer Portal:
  • apic user:add-role - Add one or more roles to one or more specified user accounts.
  • apic user:block - Block one or more users.
  • apic user:information - Retrieve information about your users.
  • apic user:remove-role - Remove one or more roles from one or more specified user accounts.
  • apic user:unblock - Unblock one or more users.
For more information, see Using the user commands.

Removing keys that begin with x-ibm from the OpenAPI document download
By removing the keys that begin with x-ibm from the OpenAPI document download, you can download the OpenAPI documents without any key-value pairs that are IBM specific. Enabling this configuration setting removes the information about the API Management provider from the OpenAPI document that is downloaded in the Developer Portal.
For more information, see Removing keys beginning with x-ibm from OpenAPI document download.

What's new for DevOps

Upgrading the Management subsystem from 10.0.7.0 on VMware requires maintenance mode
If you are upgrading from 10.0.7.0 to 10.0.8.0, you must enable maintenance mode for the Management subsystem before you begin the upgrade. For more information, see step Upgrading management, portal, and analytics on VMware.

New cluster management operations in the analytics API for monitoring analytics ingestion
The Logstash APIs can now be run from the analytics REST API and toolkit CLI to provide more information on analytics ingestion.

Logstash API reference: https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html.

VMware apicup certs list command checks for certificate expiry
The apicup certs list command that is used on VMware now checks the expiry date of all certificates that are managed by apicup. A warning is output for any certificates that are expired or close to expiry.

For more information about checking certificate expiry on VMware, see Certificate expiry and renewal.

Analytics database backup updates
The analytics database backups can now be directed to a remote SFTP server, or stored locally.
The configuration of analytics backups and the restore procedures is simplified to two restore options:
  • Repair. Restores indexes that are corrupted or missing.
  • Replace. Restores all data from the backup, overwriting any existing data.

Object-store backups now support path-style hosts.

Note: Analytics database backups that were taken on an earlier release cannot be restored on V10.0.8.0.

Analytics n3xc4.m16 profile is deprecated
If you are using the analytics n3xc4.m16 component profile, then switch to the n3xc4.m32 profile. You can switch to the n3xc4.m32 profile before or after you upgrade to V10.0.8.0. If you continue with the n3xc4.m16 profile on V10.0.8.0, then your analytics subsystem might encounter memory limits that inhibit how much analytics data you can retain.

Top-level CR deployment profiles n3xc16.m48 and n3xc12.m40 deprecated

The top-level CR deployment profiles n3xc16.m48 and n3xc12.m40 are deprecated, and replaced with the profiles n3xc16.m64 and n3xc12.m56. It's recommended that you switch to one of these new profiles after the upgrade to 10.0.8.0 is complete. For information about switching profile, see ../com.ibm.apic.install.doc/config_ocp_switch_profile.html.

Dedicated storage is the default storage type for analytics
For three replica analytics deployments, the dedicated storage type is now the default type. Not applicable to one replica deployments where the only available storage type is shared.

Backup and restore that uses OADP
For Cloud Pak for Integration users, API Connect subsystem backups can be configured with Red Hat OpenShift API for Data Protection (OADP). For more information about OADP, see Administering backup and restore in Cloud Pak for Integration.

Cloud Pak for Integration integration during installation
The default value for metadata.annotations.apiconnect-operator/cp4i is now false in all installation scenarios except for installation with the Cloud Pak for Integration Platform UI.

For more information about Cloud Pak for Integration and API Connect integration, see OpenShift: Deciding to use individual CRs, a top-level CR, or Cloud Pak for Integration.

New API discovery optional add-on service
API discovery is an optional add-on to API Connect that can be used to quickly discover the APIs in your organization, and pull them automatically into your API Manager. For information about how to enable API discovery, see Enabling API discovery on Kubernetes and Enabling API discovery on VMware.

Cert-manager is upgraded to version 1.12.10
API Connect 10.0.8.0 uses cert-manager 1.12.10. If your environment requires a manual installation or upgrade of cert-manager, the instructions are included as part of the API Connect installation and upgrade procedures.

Backup certificates requirement for VMware
On VMware deployments, to fully backup API Connect you must run a script to extract the management subsystem certificates. For more information, see Backup management certificates.

LDAP connection pooling for DataPower API Gateway
API Connect now supports LDAP connection pooling for the DataPower API Gateway service. Connection pooling reduces overhead and improves performance by maintaining a pool of connections and assigning them as needed. For more information, see the options in step 4 of Registering a gateway service.

SFTP management database backup support
The management subsystem database can be backed up to a remote SFTP server. In V10.0.7.0, only S3-compatible object-store is supported.

The CRD installation and upgrade processes now require additional parameters
In 10.0.8.0, CRD sizes increased. To ensure successful updates to a CRD, include the --server-side and --force-conflicts parameters in the kubectl apply command during installation or upgrade of CRDs.

The following topics now use the updated command to install or upgrade CRDs:

Rollback scenarios for VMware upgrades
If certain known problems are encountered during the upgrade process on VMware, a rollback is performed automatically.

In all cases, contact IBM Support for help with resolving the underlying problem before you reattempt the upgrade. For more information, see Upgrade fails with an automatic rollback.

New flag for install command when upgrading from 10.0.5.x on VMware
When running the install command to upgrade the management subsystem from 10.0.5.x on VMware, use the --force-operand-update flag to bypass the Warning state that occurs due to the change from the Crunchy database to EDB. This new flag is included in the upgrade instructions in Upgrading management, portal, and analytics on VMware.

New OIDC registry option to return third-party tokens as separate claims
By default, OIDC third-party tokens are returned as part of the access_token that is issued by API Connect. Returning the OIDC third-party tokens as separate claims prevents the access_token from growing too large. For more information, see Configuring an OIDC user registry in Cloud Manager.

Event Gateway Service provides access to event endpoints managed by the Event Endpoint Management application
You can configure your IBM Event Endpoint Management instance to be registered as an Event Gateway Service in API Connect. With the Event Gateway Service, application developers can discover event endpoints and configure applications to access them through the event gateway.