Known limitations

This page describes the known limitations for API Connect 10.0.7.0 and later.

Note: The limitations that are documented on this page will be removed as they are addressed in the IBM® API Connect product. For the most up-to-date list of product limitations, visit the English version of this page.
Issues transforming database encryption during upgrade operation to v10.0.8.2
IBM has identified and addressed an issue that may occur during upgrades to API Connect version 10.0.8.2, affecting database encryption transformation.

To resolve this issue, we have released v10.0.8.2-ifix1 as a full installation image.

  • New deployments: Perform a fresh installation using v10.0.8.2-ifix1 to avoid encountering this issue.
  • Existing deployments: If you have already upgraded to v10.0.8.2 and are experiencing this problem, upgrade directly to v10.0.8.2-ifix1 ( a complete replacement, not an incremental patch). If you have not yet upgraded to 10.0.8.2 then upgrade directly to v10.0.8.2-ifix1.

Before upgrading to APIC v10.0.8.2-ifix1, you must run the apicops preupgrade command to check for:

  • Recent encryption-related issues
  • Invalid gateway-extensions

For detailed upgrade or installation steps, refer to the IBM documentation.

WebSocket support

API Connect provides basic WebSocket functionality through the websocket-upgrade policy. However, there are important limitations to consider when designing APIs that use WebSocket communication.

  1. General limitations
    • The maximum reliable message payload is less than 1 KB.
    • Sending several messages in rapid succession may exceed cumulative limits. For example, three consecutive 500-byte messages may fail.
    • Messages up to 100 bytes can be reliably transmitted if sent with at least a 10 millisecond delay between them.
    • Send data at intervals greater than 10 milliseconds to prevent dropped connections or gateway issues.
    • WebSocket compression and streaming modes are not supported.
  2. Error handling limitations
    • When a server closes a connection using status code 1000, 1006, or 1008, the client receives code 1006, regardless of the actual cause.
    • If the server crashes, the client does not receive a close event or error message from the DataPower Gateway.
    • Errors can be caught:
      • In the main assembly before the websocket-upgrade policy is executed.
      • In sub assemblies during message processing after the upgrade that originate from a subassembly action.
    • Errors during WebSocket connections or after disconnection cannot be detected once the upgrade is complete.
  3. Opcode and data type support
    • Only text frames are supported.
    • Binary frames are not supported.
  4. Policy restrictions after upgrade
    • After the WebSocket upgrade, the following actions and properties are not supported in the sub assemblies:
      • client security
      • generate JWT
      • user security
      • validate JWT
      • client identification
      • activity log
      • HTML page
      • WebSocket upgrade
      • Parse:
        • use content type
        • warn on empty input
    • No actions are allowed in the main assembly after the upgrade.
    • Only sub assemblies that use supported properties can process messages after the upgrade.
Warning message after upgrading from version 10.0.5.x to version 10.0.8.x

After upgrading from API Connect v10.0.5.x to v10.0.8.x, users encounter the following warning message in the analytics component:

Warning: The transform of API event data into long term summary data has encountered problems. Contact your system administrator to investigate further. Long term summary data in reports may not be complete.

This warning is displayed because API event data processed by v10.0.5.x cannot be transformed into long-term summary data that uses v10.0.8.x.

The warning does not affect analytics functions or the accuracy of newly processed data in version 10.0.8.x. To resolve the warning automatically, ensure that the data retention policy is properly configured. As older data is purged, the warning clears. To update the retention settings, see Retention and rollover.

Validating from within a ruleset shows all rules
In the governance service, if you click Validate from within a ruleset, the list of rules shown includes rules that are not part of the selected ruleset. To work around this, manually select the rules that you want to use for the validation.
PK12 Key/Cert pairs created with legacy algorithms are not supported for use with the apic-gw-service
As a result of increased security requirements in IBM API Connect 10.0.8.0, if you configured your non-container gateways to use a PK12 cert/key pair that was generated with legacy algorithms, the Gateway service will fail to start.

Logs will show the following message:

[0x88e00011][apic-gw-service][error] apic-gw-service(default): API Connect Gateway Service 
caught unhandled rejection: Error: All sentinels are unreachable. Retrying from scratch after 10ms. 
Last error: unsupported

To resolve this problem, you must create a new key/cert pair and update your apic-gw-service object with this configuration. This can be done directly through the DataPower crypto tools, or through a third-party tool such as OpenSSLv3. note that OpenSSLv1 cannot be used because defaults to the legacy algorithms.

Gateway pod might show as not ready after upgrade
Gateway pods might fail to display as READY after upgrading to IBM API Connect 10.0.8.0. The pods will show as RUNNING, but 0/1 READY, as in the following example:
$ kubectl get pods -n <namespace>
NAME                                                       READY   STATUS      RESTARTS      AGE
...
gwv6-0                                                       1/1     Running     0            1h
gwv6-1                                                       1/1     Running     0            1h
gwv6-2                                                       0/1     Running     0            1h
...

To work around this behavior, use the following command delete the pod that is not ready:

$ kubectl delete pod gwv6-2 -n <namespace>

If there are multiple gateway pods in the cluster, the delete operation will not result in any service disruption.

Gateway services that span data centers
If you want to configure a gateway service that consists of gateways in different data centers, then note the following points:
  • This configuration should be used only if TMS is required and an external OAuth provider cannot be used.
  • Network latency between sites must be less than 30 ms.
  • For the analytics service to span data centers, network latency between data centers must be less than 10 ms. If you want to associate an analytics service with your gateway service, and cannot meet this latency requirement, then choose one of the data centers to host the analytics service.

Cloud Pak for Integration: Cannot add an API to the Asset Repository
If you are using API Connect as a component of Cloud Pak for Integration, you cannot add an API to the Asset Repository from API Connect.

Cloud Pak for Integration: Problem importing from Asset repository when user remains inactive
If there is no user activity on the page while importing an API from the Cloud Pak for Integration Asset repository, the user might see the following error: could not add asset, parent window missing

Work around the issue by reloading the Import API page and then opening the Asset repository again.

Limitations to the updated schema editor for API definitions
The Definitions section of the API editor for the API Manager and API Designer UIs was updated in API Connect 10.0.6.0. However, the OneOf, AllOf, and Enum schema structures aren't handled properly by the UI. You can work around this issue by editing the source YAML of your API document.

API Designer with Local Test Environment (LTE) fails to log in using https://localhost with the error message "Incorrect username, password, or credentials"
If you use the API Designer with the Local Test Environment and attempt to log in using the localhost, the login fails. You can work around the issue by configuring API Designer credentials to with the local host. Complete the following steps:
  1. Download and extract API Designer, then install the credentials file as explained in steps 1, 2, and 6 in Installing the toolkit.

  2. Edit the designer_credentials.json file and configure the following settings:
  3. Start API Designer and log in with the LTE using https://localhost as the Host URL (the management endpoint).

Gateway timeout when validating very large API documents with the API governance service
If you are validating very large API documents (5 MB, or 100,000 lines, or more), with all of the rulesets selected by default, the API governance service is likely to take longer than 60 seconds to run, and this can result in an HTTP 504 gateway timeout. To workaround this issue, you can take the following actions:
New ibm-apiconnect-operator pod fails to start due existing terminating ibm-apiconnect-operator pod holding lock
The IBM APIConnect operator uses leader election (leader-for-life) to ensure that only one operator/controller pod is running/active at a time. This relies on Kubernetes garbage collection to clean up the lock when the old operator pod is deleted. The new ibm-apiconnect operator pod fails to start if an existing terminating ibm-apiconnect operator pod is still holding the lock.

If you suspect you are encountering this issue, verify it by running the following command:

kubectl -n <namespace> logs <new-ibm-apiconnect-pod-name> | grep "LockOwner"

If the lock is the problem, the log contains a message similar to the following example:

existing lock","LockOwner":"ibm-apiconnect-xxxxxx held by terminating pod

Resolve the issue by completing one of the following options:

  • Force delete the terminating pod by running the following command: 
    kubectl -n <namespace> delete pod <terminating-ibm-apiconnect-pod-name> --force --grace-period=0

    Kubernetes deletes the lock when the pod is deleted.

  • Remove the lock manually by running the following command:
    kubectl delete cm ibm-apiconnect-lock
API Designer might hang while activating a large imported API
When you import a large API using API Designer and attempt to activate the API in the import wizard, the process might hang. If you encounter this issue, you can work around the problem by completing the following steps:
  1. On your local file system, locate the autoproduct file called API-NAME-auto-product_API-VERSION.yaml.
  2. Delete the file.
  3. In API Designer, edit the newly imported API and activate it by clicking the Online toggle.

In general, it is best practice to activate an API using the Online toggle or by publishing the API with the Publish option.

API Designer on Windows: APIs that use WSDL might encounter errors, or fail to activate, publish, or update.
If you activate, publish, or update a REST or SOAP API that uses a WSDL file, the operation might fail and never complete. Work around the issue by using the autopublish API feature in the API editor.

Permission restrictions in the API Designer UI
The API Designer UI currently has the following permission restrictions:
  • Developers that have been given only View permissions cannot see the Test tab in the API editor. For developers to be able to see the Test tab, they must be given a different permission level. For information about the default permission levels available, see API Connect user roles.
  • Users with API-Drafts permissions, but who don't have any Sandbox Catalog permissions, cannot see the Test preferences in the Sandbox Catalog. For these users to be able to see the Test preferences, they must be given the Developer or Administrator role on the Sandbox Catalog.
Deleted security requirements might remain in the API source
Security requirements that are deleted from APIs in the API Designer and API Manager UIs, might still remain in the source. To work around this issue, click the Source icon OpenAPI Source icon in the API editor, and manually remove the security requirements.

Sometimes the completion of an SFTP restore on the Management subsystem does not restore the actual data.
There is a known issue where sometimes a restore from the Management subsystem's SFTP backup succeeds but the data is not restored. If this happens, run the restore again.
Customized application view is reset to the default after upgrade if forums are also disabled
When upgrading API Connect version 10.0.5.0 or earlier to version 10.0.5.1 or later, if you have disabled forums on your Developer Portal site, and you have customized the application view, the customized application view will be reset to the default after the upgrade. To work around this issue, you can save the customized application view before running the upgrade, and then import the view into the upgraded Developer Portal.
To save the customized application view, run the following commands:
mkdir /tmp/tmp_config_<site-alias>
drush @<site-alias> config-get views.view.applications > /tmp/tmp_config_<site-alias>/views.view.applications.yaml
Where <site-alias> is the alias of your Developer Portal site.
To import the saved view after the upgrade, put the views.view.applications.yaml file inside a directory where it's the only file, and then run the following command:
drush @<site-alias> config-import --partial --source=/tmp/tmp_config_<site-alias>/

Cannot add comments to APIs by using the Source view in the API Designer and API Manager UIs
Comments cannot be added to APIs in the API Designer and API Manager UIs by clicking the Source icon OpenAPI Source icon, and using the hashtag symbol.

Changing Product visibility from Custom to Public doesn't automatically remove the Consumer organizations and groups
In the API Designer and API Manager UIs, changing Product visibility from Custom to Public doesn't automatically remove the consumer organizations and groups, so the Product publish will fail. To work around this issue, manually remove all of the consumer organizations and groups.

Stale cache can result in unexpected behavior in the Cloud Manager and API Manager UI
Having a stale cache in your browser can result in unexpected behavior in the Cloud Manager and API Manager UI, such as fetch errors, incorrect data being displayed, and blank pages. To work around this issue, particularly if you have just upgraded your deployment, complete the following actions:
  • Reload the browser window.
  • If there is still an issue, clear the browser cache and then log back in to the UI.
  • Try using a private browser window.
  • If possible, try a different browser type.
If issues persist, contact IBM Support.

The "Select compatible gateway services" option in Test Preferences causes a "404 POST undefined" error while testing the API
In the Test Preferences > Target gateway services setting, selecting Select compatible gateway services and choosing a specific gateway results in a "404 POST undefined" error when you test the API in the API Explorer or the Test tab.

Workaround: To avoid this problem, select the Use all compatible gateway services target gateway option instead.

Analytics command restrictions
The following --mode analytics commands work only when the flag --return_format is set to either json or yaml:
  • clustermgmt:catAllocation
  • clustermgmt:catIndices
  • clustermgmt:catNodes
  • clustermgmt:catRecovery
  • clustermgmt:catShards
  • clustermgmt:catAliases
The following commands don't currently work on the Toolkit CLI, as they return only text/plain:
  • clustermgmt:getNodesHotThreads
  • clustermgmt:getNodesHotThreadsById

Options menus in the Catalog might be hidden
In a Catalog, in any of the different tabs such as Consumers, or Subscriptions, when clicking on the options icon Options icon the menu items might be hidden. To work around the issue, reload the page and the menu items will appear.

Override plan rate limits are not displayed in the Endpoint tab
Any override plan rate limits that have been added to your API for individual operations are not displayed in the API Endpoint tab in the UI. Only the plan rate limit is displayed.

Consumer rate limit notifications are not available in Version 10
The ability to configure notifications for applications so that API consumers are alerted when the usage of an API is nearing its rate limit is not available.

Configuration update mistakes cause admission webhook errors in OpenShift and Cloud Pak for Integration
In OpenShift and Cloud Pak for Integration, configuration update errors can cause the APIConnectCluster instance to go into the Pending state with an underlying component throwing an admission webhook error.
oc get apiconnectcluster -n APIC_namespace

NAME   READY  STATUS    VERSION             RECONCILED VERSION   AGE
m1     admission webhook "vmanagementcluster.kb.io" denied the request: ManagementCluster.management.apiconnect.example.com "m1-mgmt" is invalid: [spec.databaseBackup.restartDB.accept: Invalid value: false: databaseBackup protocol has changed (from '' to 'objstore') and requires database restart. accept restartDB to restart database, spec.databaseBackup.restartDB.accept: Invalid value: false: databaseBackup configuration has changed and requires database restart. accept restartDB to restart database]   Pending   10.0.1.5-3388-eus   10.0.1.5-3388-eus    2d6h

The 'strict' SameSite cookie causes incorrect invitations to consumer organizations
Using the 'strict' SameSite cookie might cause invitation links from emails to send users to a registration page where they are asked to create a new consumer organization instead of joining the organization they were invited to.

The workaround is to using the 'Lax' SameSite Cookie attribute.

Limitations to the OpenAPI 3.0 support
IBM API Connect supports the OpenAPI 3.0 specification, with some limitations. For information about what is supported, see OpenAPI 3.0 support.

A GraphQL API that contains a graphql-input-type-cost rate limit fails to publish
A GraphQL API created in releases earlier than IBM API Connect Version 10.0.3.0 might contain a graphql-input-type-cost rate limit, which is no longer supported. If you attempt to use the automatic activation mechanism to publish the API, or manually add the API to a Product and attempt to publish that Product, the publish operation will fail. You can resolve this problem in either of the following ways:
  • Remove the rate limit definition from the OpenAPI source for the API. For example, if the source is in YAML format, remove the following lines:
    - name: graphql-input-type-cost
  operation: consume
  • Edit the source for the Product and define a graphql-input-type-cost rate limit in all of the Plans that include the API.
    Note: You can edit only a manually created Product, not a Product that is generated by the automatic activation mechanism.

Update WSDL option is not supported in the API Designer UI
The Update WSDL option to update the configuration of an existing SOAP API from a WSDL file or a .zip archive, is supported only in the API Manager UI, or by using the developer toolkit. This option is not supported in the API Designer UI.

A Product republish, with the Preserve Subscriptions option, fails after a consumer organization group has been removed from the visibility settings
If you remove a consumer organization group from the custom visibility settings for a Product, and that group contains a consumer organization with an application that is subscribed to the Product, an attempt to republish the Product with the Preserve Subscriptions option will fail even if that consumer organization is then added to the custom visibility settings individually.

For a secured GraphQL API, GraphQL subscriptions cannot be tested by using the Test tab in the user interfaces
For a GraphQL API that is secured by client ID, GraphQL subscriptions cannot be tested by using the Test tab in the API Designer or API Manager user interfaces. The API can still be published and used in production.
You can test GraphQL subscriptions in either of the following alternative ways:
  • Remove client ID security from the API, for testing purposes, then use the Test tab.
  • Use an external test tool.
A published API whose assembly contains a catch block with an invalid policy will now correctly fail to republish
Previously, policies in an assembly catch block were not validated, so if an incorrect policy configuration was coded in the OpenAPI source for an API, within an assembly catch block, the API would still publish successfully. Now, policies in an assembly catch block are validated, so such an API will fail to republish and will first need to be corrected.

An existing user cannot be added to a Space
If you attempt to add an existing user to a Space, the operation cannot be completed because the Create button is not enabled. Instead, use the invitation mechanism. For details, see Managing Space membership.
Note: The invited user must use the Sign in option on the activation form, rather than completing the registration details and using Sign up.
Simultaneous editing of the same API by multiple users might result in changes being overwritten
If one user saves changes to an OpenAPI 3.0 API, another user who has the same API open in the API editor might have their changes overwritten.

An API developed for IBM API Connect Version 2018.4.1 that uses an apim.getvariable('message.body') function call fails in IBM API Connect Version 10
With the DataPower® API Gateway in IBM API Connect Version 2018.4.1, the type of object returned, for XML payloads, by an apim.getvariable('context_name.body') function call in a GatewayScript policy in an API assembly depends on how the variable is stored in the gateway context, as follows:
  • If the variable is stored as a Buffer (because the variable data was written as an XML string), an XML Nodelist is returned provided that contextname.headers.content-type is an XML type.
  • If the variable is stored as a parsed XML Document (because the variable data was written as parsed XML, either as an XML document or an XML Nodelist), an XML document is returned.

With the DataPower API Gateway in IBM API Connect Version 10 however, the same function call always returns an XML Nodelist provided that contextname.headers.content-type is an XML type. Therefore, such an API developed for Version 2018.4.1 will fail in Version 10 if it is configured to expect an XML document, and will need to be reconfigured appropriately.

The problem does not occur with such an API migrated from IBM API Connect Version 5 because, with that release, apim.getvariable('context_name.body') also returns an XML Nodelist for XML payloads, nor does it occur if you are using the DataPower Gateway (v5 compatible).

context_name could be message, request, or the name of the output from an invoke policy.

Validate policy limitations when GraphQL response contains a GraphQL server error
When a GraphQL response contains a GraphQL server error and no data, the assembly Validate policy generates an error on the missing data and overwrites the payload. When the response contains partial data and an error, the assembly Validate action validates the data and overwrites the payload. To work around this limitation, use the condition $not($exists(message.body.errors)) in an assembly switch condition to skip the assembly Validate policy when the response contains errors.

An OpenAPI definition that contains regular expression syntax fails validation
IBM API Connect supports the GO regular expression syntax. When you import an OpenAPI definition into the API Designer or API Manager user interfaces, or validate one with the apic validate, the validation will fail if the OpenAPI source contains unsupported regular expression syntax, with errors that include Does not match format 'regex'; for example:
- Must validate at least one schema (anyOf) (context: (root).paths./example/types.post.parameters.0.schema.properties.items, line: 0, col: 0)
- Must validate one and only one schema (oneOf) (context: (root).paths./example/types.post.parameters.0, line: 46164, col: 21)
- paths./example/types.post.parameters.0.schema.properties.items.properties.pattern Does not match format 'regex' (context: (root).paths./example/types.post.parameters.0.schema.properties.items.properties.pattern, line: 0, col: 0)
When scaling down a Kubernetes cluster of DataPower gateways, the cluster might enter an unrecoverable state if the peering primary instance is lost
If you are scaling down a Kubernetes cluster of DataPower gateways, you must first complete the following steps to ensure that the peering primary instance is not lost:
  1. List the pods in the cluster; for example:
    $ kubectl get pods -n apiconnect --selector app.kubernetes.io/component=datapower,crd.apiconnect.ibm.com/instance=gwv6
NAME     READY   STATUS    RESTARTS   AGE
gwv6-0   1/1     Running   0          3h31m
gwv6-1   1/1     Running   0          3h32m
gwv6-2   1/1     Running   0          3h34m
  2. Enter the DataPower admin CLI for gateway 0, by entering the following command and logging in at the prompt; for example:
    $ kubectl attach -n apiconnect -it gwv6-0
  3. Switch to the API Connect domain and enter config mode:
    idg# switch apiconnect
idg[apiconnect]# config
Global mode
  4. Show the gateway peering status; for example:
    idg[apiconnect](config)# show gateway-peering-status

 Address        Configuration name Pending updates Replication offset Link status Primary
 -------------- ------------------ --------------- ------------------ ----------- -------
 1.2.3.1        gwd                0               18331896           ok          no
 1.2.3.1        rate-limit         0               3091219            ok          no
 1.2.3.1        subs               0               3150127            ok          no
 1.2.3.1        tms                0               3063575            ok          no
 1.2.3.2        gwd                0               18330948           ok          no
 1.2.3.2        rate-limit         0               3091067            ok          no
 1.2.3.2        subs               0               3149975            ok          no
 1.2.3.2        tms                0               3063257            ok          no
 1.2.3.3        gwd                0               18330948           ok          yes
 1.2.3.3        rate-limit         0               3091067            ok          yes
 1.2.3.3        subs               0               3149975            ok          yes
 1.2.3.3        tms                0               3063257            ok          yes
  5. For each of the configuration names, set gateway 0 to be the peering primary instance:
    idg[apiconnect](config)# gateway-peering-switch-primary gwd
The instance is now the primary in the peer group.
idg[apiconnect](config)# gateway-peering-switch-primary rate-limit
The instance is now the primary in the peer group.
idg[apiconnect](config)# gateway-peering-switch-primary subs
The instance is now the primary in the peer group.
idg[apiconnect](config)# gateway-peering-switch-primary tms
The instance is now the primary in the peer group.
  6. Show the gateway peering status to confirm the changes; for example:
    idg[apiconnect](config)# show gateway-peering-status

 Address        Configuration name Pending updates Replication offset Link status Primary
 -------------- ------------------ --------------- ------------------ ----------- -------
 1.2.3.1        gwd                0               19067953           ok          yes
 1.2.3.1        rate-limit         0               3218172            ok          yes
 1.2.3.1        subs               0               3277032            ok          yes
 1.2.3.1        tms                0               3189160            ok          yes
 1.2.3.2        gwd                0               19067953           ok          no
 1.2.3.2        rate-limit         0               3218172            ok          no
 1.2.3.2        subs               0               3277200            ok          no
 1.2.3.2        tms                0               3189160            ok          no
 1.2.3.3        gwd                0               19069241           ok          no
 1.2.3.3        rate-limit         0               3218172            ok          no
 1.2.3.3        subs               0               3277508            ok          no
 1.2.3.3        tms                0               3189312            ok          no
Incorrect UI behavior if API changes are not saved before creating a new API version
If you make changes to an API definition and then attempt to create a new API version without first saving your changes, you are not prompted to save your changes until after you have completed the new version creation operation. If you click OK in the prompt, your new version is created but your original changes are lost; to create your new version and retain your original changes, you should click Cancel in the prompt, then click Save to save your original changes.

Truststore and keystore settings in a shared TLS client profile are not reflected in API Manager
If you create a shared TLS client profile in the Cloud Manager user interface and assign a truststore and a keystore, these truststore and keystore settings are not reflected in that TLS client profile in the API Manager user interface and cannot be set there. Furthermore, the TLS client profile list views display the value shared for the truststore and keystore rather than the correct values. To workaround this problem, create the truststore, keystore, and TLS client profile separately for each provider organization in the API Manager user interface, then enable the TLS client profile in your Catalogs as required.

Login to the Cloud Manager or API Manager user interfaces might fail with error 431 if the browser has a large number of cookies
Attempts to login to the Cloud Manager or API Manager user interfaces might fail if the HTTP header or cookie size is larger than 32 KB, a limitation that is imposed for security reasons. To resolve this problem, either clear the browser cache and cookies, or open a private window, then retry.

The apic cloud-settings:topology command doesn't return a topology object
If you use the apic cloud-settings:topology command without a --format parameter, it returns only the string CloudTopology rather than the cloud topology. To retrieve the topology object, include the --format parameter, with a value of either yaml or json as required.

The apic cloud-settings:mail-server-configured command response is incorrect
If you use the apic cloud-settings:mail-server-configured without a --format parameter, it returns only the string MailServerConfigured rather than a boolean value to indicate whether an email server has been configured in the cloud settings. To retrieve the correct response, include the --format parameter, with a value of either yaml or json as required.

API Designer user interface might not open correctly if there are badly formed OpenAPI YAML files in the startup directory
If, when launching the API Designer user interface, the startup directory that you select contains one or more badly formed OpenAPI YAML files, the interface might fail to load correctly, with an error such as the following:
Cannot read property 'type' of null

To resolve this problem, remove any invalid OpenAPI YAML files from the startup directory, then restart the API Designer user interface.

Pagination setting is global across the API Connect user interfaces
If you set the Items per page value on any page in the Cloud Manager or API Manager user interface, that setting is then applied to all pages in both user interfaces in the same browser session. If you want to set the value separately for a specific page, open it in a private browser window. Such a setting in a private browser window is specific to that window and is lost when the window is closed.

Setting resource limits in Kubernetes can cause containers to behave oddly at run time
In Kubernetes, you can set resource limits for each container. However, limiting CPU means that the container processes might slow down if they try to use too much. Limiting memory means that the Kubernetes code kills processes that try to allocate memory that would take the container over its limit. These limits can result in odd behavior such as the containers continually trying to start a daemon process, such as nginx or node, and exiting with success immediately.

Field validation for the Client security policy is incorrect
When configuring a Client Security policy in an API assembly in the API Designer or API Manager user interfaces, there is the following incorrect validation behavior:
  • The ID Name field is required, but the API definition can be saved without entering a value in the field.
  • The Secret Name field is required only when the Secret Required option is selected, but the user interface indicates that the Secret Name field is required regardless. Furthermore, when the field is required, the API definition can be save without entering a value.
  • If the Authenticate Client Method is set to Third party, the User Registry Name field is required, but the API definition can be saved without entering a value in this field.
Requests that take longer than the value of the nginx timeout cause a 409 error
Requests that take longer than the value of the nginx timeout can cause a 409 error, such as:
Another request is operating on portal-subsystem-03729230-4df7-4419-94c9-e7691b616382 with the same name, 
please try again.
The error occurs because the ingress controller is sending a repeat request when the previous one timed out. Your request will still continue processing in the background.
Adding members to a provider organization might fail
When adding members to a provider organization, the Cloud Manager user interface lists the current owner and members as well. If existing members are selected, the add action will fail.

Upgrading with new certificates breaks analytics ingestion
If the analytics subsystem certificates are modified after installation (by using the apicup certs set command , followed by the apicup install command to deploy the change to the cluster), the analytics ingestion ingress will no longer be recognized by the Gateway. The analytics service must be re-registered in the Cloud Manager interface so that the new certificates are recognized.

User interfaces are not supported in Microsoft Edge
The API Manager and Cloud Manager user interfaces are not supported in the Microsoft Edge web browser. To work in the user interfaces, use a different browser.

New gateways cannot connect to existing gateways after the gateway peering certificates are changed
Changing the gateway peering SSL certificates after gateway installation causes new gateways to be unable to connect to existing gateways, resulting in an outage. A full restart of the gateway StatefulSet (by deleting all the StatefulSet pods) is required for the gateways to come back online.

No option to bulk delete APIs or Products
In the API Designer and API Manager user interfaces, there is currently no option to delete multiple APIs or Products in a single operation; in the user interfaces, APIs and Products must be deleted individually. However, you can bulk delete APIs and Products by using the REST API or CLI interfaces.

Cannot publish an API that has duplicate security definition entries
The API Designer and API Manager user interfaces allow you to add duplicate security definitions to an API. However, attempts to publish the API will fail with OpenAPI validation errors. Ensure that the security definitions in an API are unique.

Kubernetes might excessively evict pods
In Kubernetes, if insufficient memory, CPU, or storage resources are provided then pods are evicted randomly. To avoid this problem, allocate sufficient resources to the pods. In addition, there are known issues with log rotation in Kubernetes that are documented here: https://github.com/kubernetes/kubernetes/issues/59902. The lack of log rotation can cause logs to grow, limited only by the amount of storage on the node, eventually causing pods to restart. Therefore ensure that appropriate log levels are configured for all API Connect components.

You may also follow the instructions described here https://success.docker.com/article/how-to-setup-log-rotation-post-installation to set the maximum size of the log before it is rolled (max-size) and the maximum number of log files that can be present (max-files). More information about the Docker JSON File logging driver is available here: https://docs.docker.com/config/containers/logging/json-file/.

Logging in to the API Connect user interfaces fails when using the Safari web browser
If you are using the Safari web browser and a Basic Authorization header exists for the same DNS domain in which API Connect is running, attempts to log in to the API Connect user interfaces, or to sign up by using an activation link, fail. To avoid this problem, use an alternative web browser.

Endpoints cannot be changed by using APICUP after they have been configured in Cloud Manager

The changing of endpoints with APICUP after they have been configured in Cloud Manager is not supported. Any such endpoint changes will not be propagated to a running deployment.

An OAuth provider fails if the resources that it references aren't enabled in the Catalog
If you enable an OAuth provider in a Catalog then any resources that it references, such as API user registries or TLS client profiles, must be enabled in the same Catalog; if not, then although the OAuth provider might publish successfully it will fail at run time. For information on enabling resources in a Catalog, see Creating and configuring Catalogs.

Redact conditions within switch, operation-switch, or if policies might not execute after converting to DataPower API Gateway
If an API Connect v5-compatible redact policy is found within a switch, operation-switch, or if policy, the migration utility does not move the redact policy to the beginning or end of the assembly. The difference in the response between API Connect v5 and DataPower API Gateway may prevent data from being redacted in the DataPower API Gateway.

For example, if an assembly includes a switch policy containing four redact conditions followed by an invoke policy, each redact condition redacts the response data. After porting to the API Gateway, the redact conditions remain inside the switch policy and target the message.body property for redaction. These redactions fail to execute because the message.body property has not yet been retrieved by the invoke policy. To correct this problem, you must move the invoke policy before the switch policy in the assembly.

Redact on invalid XPath fails after converting to DataPower API Gateway
Redact on invalid XPath fails after converting to DataPower API Gateway. Application
Management Unit (AMU) version 10.0.8.0-R0 support the conversion of the Redact
policy, but only to Redact version 1.5.0, not 2.0.0.

Numerical Handling in YAML Configurations and Precision Constraints in API Manager UI
  • In the API Manager UI YAML configurations, numbers in exponential notation (for example 1e20) are handled differently based on their exponent value. Numbers with an exponent less than or equal to 20 are converted to their full integer form (for example 1e20 becomes 100,000,000,000,000,000,000) for display and processing. Numbers with an exponent greater than 20 stay in exponential notation (for example 1e21). Numbers that exceed the range of integers that are supported by DataPower JSON schema validation (-9,007,199,254,740,992 to 9,007,199,254,740,992) result in validation errors or unexpected behavior.
  • JavaScript's inherent precision limitations truncate floating-point numbers to approximately 17 significant digits. For example:
    • Input: 0.123456789012345678901234567890
    • Processed Value: 0.12345678901234568