What's new in the latest release (Version 10.0.7.0)

Product files and release notes

What's new for Developers

New toolkit command to execute API tests stored in a YAML file

The API Connect developer toolkit includes a new command apic test that uses the automated API behavior testing application to execute API tests. You can include one or more YAML files in the command, and each file can contain one or more API tests to be executed. For more information, see Using the toolkit CLI to execute API tests.

Support for OIDC discovery

API Connect now provides native support for OIDC discovery, which allows a client to query attributes of the provider itself. You can supply the provider's URL manually while configuring the OIDC parameters for a native OAuth provider, or have the field populated automatically when you specify OAuth settings for an OpenAPI 3.0 definition.

LDAP updates

• The UI for creating an LDAP registry now provides options for specifying the scope for "Search DN" (subtree, one level, and base) as you can in the CLI.
• You can now specify whether your LDAP is Microsoft Active Directory in the UI and with the CLI, to ensure that the directory is handled correctly in API Connect.

For more information, see Creating an LDAP user registry andUsing the CLI to create an LDAP user registry.

Updates to the assembly authoring experience in the API editor

The API editor for viewing and editing the assembly section of APIs in the API Manager and API Designer is updated with a new user experience. The overall capability remains the same, but the visual components for working with the flow canvas, the policy palette, and the policy properties are updated. For more information, see Including elements in your API assembly.

New rate limit and GraphQL built-in policies

The following rate limit and GraphQL policies are added to the API assembly editor:

• ratelimitinfo
• graphql-execute

Improvements to the API testing experience in the API editor

The Test tab section of the API editor is updated to allow API testing independently of the auto-publish setting, and to make important selections more visible. For more information, see Using the Test tab to debug your API.

What's new for API product managers

New timeout setting available for the self service onboarding task

You can now configure the timeout period for the self service onboarding task of API consumers into a catalog, and the associated Developer Portal. Previously, the self service onboarding task timeout was set at 72 hours, and couldn't be changed. Now you can update this setting by using the Self service onboarding task timeout setting in the Onboarding section of the Catalog settings tab. Note that this timeout setting includes the activation link and, if Self service onboarding approval is selected, the approval process as well. For more information, see Creating and configuring catalogs.

API governance service updates

The following updates to the API governance service are now available:

• Validating API documents is now available in API Designer when the UI is online, and is connected to a cloud instance that has the API governance microservice enabled on it.
• When creating and editing rulesets, you can now add your own version number information, and can have rulesets with the same name but with different version numbers. Note that version numbers must be of the format major.minor.patch, for example 1.0.0.
• The ruleset Name field is now auto-generated based on the Title field.
• The version of the Spectral rulesets now matches the version of that ruleset that's available in Spectral. Spectral ruleset names are prefixed by spectral-.
• You can now use the toolkit CLI to configure API governance in the Cloud Manager and the API Manager. You can also use the commands to validate an API document. For a complete list of the commands, and information about how to run them, run the following commands in the toolkit CLI:
  • apic --mode governance rulesets --help - displays the commands that are available for creating and managing rulesets.
  • apic --mode governance rules --help - displays the commands that are available for creating and managing rules.
  • apic --mode governance compliance --help - displays the commands that are available for running validation on API documents.

For more information about the API governance service, see Configuring API governance in the API Manager and Validating an API document by using API governance.

Provider organization analytics data is not shared with cloud admin users

In previous releases of API Connect, Provider organization-specific analytics data was available to Cloud Admins by default. Beginning with version 10.0.7.0, the data is not shared with Cloud Admins by default; the owner of a Provider organization can optionally enable the sharing of analytics data with Cloud Admins. The new setting does not apply to total API call volume data; Cloud Admins can still see total API calls across the API Connect deployment. For more information, see Allowing cloud admins to view provider organization analytics data.

Analytics Monitoring Data Dashboard

The Cloud Manager and API Manager analytics view have a new dashboard called Monitoring Data Dashboard. The new dashboard provides information on which applications, plans, consumer organizations, and APIs are sending and receiving the most data.

New analytics API event fields

When using API Gateway v10.5.3 or higher, two new fields are included in API event records:

• api_resource_id: String containing the resource ID for the API used by the gateway. Format is api_name:api_version:method:path.
• gateway_service_name: The name of the gateway service, as configured in the Cloud Manager UI.

Analytics event query_string fields are now stored as text

API event query_string fields are now stored in analytics as text for improved indexing.

Top 20 analytics charts

New analytics charts that show the top 20 APIs, applications, and consumer organizations.

Analytics scroll API responses sorted by datetime

Calls to the analytics REST API events/scroll operation return results sorted by datetime.

Analytics inactive product report

New report in the API Manager UI that highlights products that have no subscriptions, no recent traffic, or no traffic at all.

Analytics inactive consumer report

New report in the API Manager UI that highlights consumers that have no applications, no subscriptions, no recent traffic, or no traffic at all.

Various analytics UI enhancements

• UI Dashboards and Discover view has auto-refresh option to refresh the UI every 30 seconds automatically.
• The columns displayed in the Analytics UI Discover view are now configurable and can be saved as part of a saved/shared query.
• Calendar widget for easier date selection.
• Display total option on specific charts. For example, when the option is enabled, the Top APIs chart shows the total API calls, so the comparison of calls to a single API against the total API calls is clear.
• Shared and saved query table includes column showing filters used, for easier identification of the desired query.
• New time range options for viewing API event data in the UI:
  • Last minute of API event data.
  • Last 5 minutes of API event data.
• The time axis on analytics charts is sized appropriate to the available data points and selected time period.

Analytics API call volume leaderboards

The reports tab in the analytics view includes a leaderboard of the top APIs, products, plans, applications, and consumer organizations.

Analytics consumer trend report

The reports tab in the analytics view includes a new consumer trend report that shows changes to the number of applications and subscriptions in consumer organizations over time.

Detailed API, Product, Plan, Application, and consumer organization analytics reports

Detailed analytics information about specific APIs, products, plans, applications, and consumer organizations. For example, for an API, details of all the consumer organizations that use it. The detailed reports are accessible from the leaderboards in the reports view.

What's new for Developer Portal site administrators

New Developer Portal service command

The service command enables you to list the Developer Portal service that is currently installed. For more information, see Using the service command.

New Developer Portal content commands

The new content commands allow you to list, export and import your Developer Portal site content. The following content commands are now available:

• content:create-export

  Creates a task to export a .tgz file of your site content.

• content:create-import

  Creates a task to import an archive of your site content.

• content:delete-export

  Cancels any currently running content:create-export tasks, and deletes any related artifacts.

• content:delete-import

  Cancels any currently running content:create-import tasks, and deletes any related artifacts.

• content:get-export

  Streams the content of a specific completed export task to a .tgz file.

• content:get-export-status

  Returns the status of a specific export task.

• content:get-import-status

  Returns the status of a specific import task.

• content:list-types

  Lists the exportable content types on your site.

• content:list

  Lists all of the entities on your Developer Portal site for the given content type and bundle.

For more information about the content commands and how to use them, see Using the content commands.

New Developer Portal export-entity commands

The following export-entity commands are added, which enable you to export assorted entity content from your Developer Portal site.

• export-entity:create

  Creates a new export entity, which is the container for the entity content that you want to export.

• export-entity:add-content

  Adds content to an existing export entity.

• export-entity:get

  Returns a list of the content of a specific export entity.

• export-entity:remove-content

  Removes certain content from a specific export entity.

• export-entity:delete

  Deletes a specific export entity.

• export-entity:launch

  Launches an export entity polling task that creates a .tgz file of all of the entities that are contained in a specific export entity. Can be run with a --no-poll option, in which case the task doesn't return a .tgz file, but just returns the task ID.

• export-entity:get-launch-export

  Streams the content of a specific completed export-entity:launch task to a .tgz file.

• export-entity:delete-launch-export

  Cancels a currently running export-entity:launch task, and deletes any related artifacts.

• export-entity:get-launch-export-status

  Returns the status of a specific export-entity:launch task.

• export-entity:list

  Returns a list of all of the export entities within a specific Developer Portal. Each export entity contains a defined list of all of the entity content that will be exported if export-entity:launch is run.

For more information about the export-entity commands and how to use them, see Using the export-entity commands.

Note that you can now also export and import entities from the Developer Portal UI. When you're editing a content entity type in the UI, you can click Export in the side navigation bar. To create an export entity container and export that entity, including any required embedded entities, click Export entity. Or, if you have an existing export entity container, you can select the required container, and click Add to the export. You can also view and manage all of your export entities by clicking Content > Content synchronizer > Exports, and all of your import entities by clicking Content > Content synchronizer > Imports.

Updates to the Developer Portal site commands

The site command now enables you to export and import the entire configuration for a Developer Portal site, including custom modules, custom themes, site configuration, and site content. The added commands mean that you can easily replicate a Developer Portal site, for example replicating a test site into a production site. The following site commands are added:

• site:create-export

  Creates a task to export a .tgz archive file of your entire site configuration. You can then use this archive to create an identical Developer Portal site.

• site:create-import

  Creates a task to import an archive of your entire site configuration, completely overriding the original site configuration, including content, custom modules, and custom themes.

• site:delete-export

  Cancels any currently running site:create-export tasks, and deletes any related artifacts.

• site:delete-import

  Cancels any currently running site:create-import tasks, and deletes any related artifacts.

• site:get-export-status

  Returns the status of a specific export task.

• site:get-export

  Streams the content of a specific completed export task to a .tgz file.

• site:get-import-status

  Returns the status of a specific import task.

Important: If you want to import a site export configuration file, the export file must have been created on the same version of API Connect as the version that you want to import to.

For more information about the site commands and how to use them, see Using the site commands.

Updates to the list of blocked Drupal modules

The following Drupal modules are now unsupported and their installation is blocked in the Developer Portal:

• All of the advanced aggregation modules; advagg, advagg_mod, advagg_js_minify, advagg_css_minify, advagg_ext_minify, advagg_validator, and advagg_bundler. These modules are blocked due to incompatibility with the current Drupal version.
• statistics module. This module is being deprecated by Drupal.
• tfa module. Two-factor authentication isn't available within the Developer Portal. If multi-factor authentication is required, it can be configured within an OpenID Connect (OIDC) user registry; see Creating an OIDC user registry.

For more information about custom modules, see Installing custom modules.

Ability to identify the realm parameter when logging in as a consumer to the toolkit CLI

You can now find out which realm parameter you need to use when logging in to the Developer Portal with the toolkit CLI, by running the following command:

apic identity-providers:list --server consumer_endpoint_api --mode consumer --catalog catalog_name_or_id --org <provider_org_name_or_id> --fields registry_type,realm

For more information, see Logging in as a consumer to the Developer Portal by using the CLI.

Ability to configure the analytics chart views in the Developer Portal

You can now configure which analytics charts of API data are displayed to API consumers in the Developer Portal. Previously, if access to analytics data is granted, API consumers see all of the default charts of application and organization analytics data, including API statistics, response times, and error information. Now, you can configure which charts are displayed to your API consumers, by using the Configuration > System > IBM API Developer Portal Consumer Analytics menu in the Developer Portal UI.

For more information, see Configuring analytics in the developer portal.

What's new for DevOps

Local and SFTP management database backup not available in v10.0.7.0

In v10.0.7.0, the management database can be backed up to an S3 object-store only. Support for SFTP and local backups will be provided in a future v10.0.x release.

If you are on v10.0.6.0 and using SFTP or local backups for your management database, then to upgrade to v10.0.7.0 you have two options:

• Update your management database backup configuration to use an S3 object-store before you start the upgrade process.
• Enable an opt-out setting to allow upgrade to v10.0.7.0 without management database backups configured.

For more information, see the upgrade steps for your platform:

• Upgrading on Kubernetes, OpenShift, and Cloud Pak for Integration
• Upgrading on VMware

New analytics deployment profile

A new analytics profile is available on all platforms: n3xc4.m32. Use this profile instead of the existing n3xc4.m16 profile if you have a high analytics load, since the 16 Mi of memory in the n3c4.m16 profile can be insufficient.

Updates to analytics deployment profile storage and ingestion pods

The memory requests and limits of the storage pods is reduced for the following profiles:

• n1xc6.m48: Reduced from 38 Gi to 37 Gi.
• n3xc6.m48: Reduced from 38 Gi to 37 Gi for shared storage, and from 36 Gi to 35 Gi for dedicated storage.
• n3xc8.m64: Reduced from 54 Gi to 53 Gi for shared storage, and from 50 Gi to 49 Gi for dedicated storage.

The default PVC size for the ingestion pod is increased from 5 Gi to 50 Gi in all profiles.

Analytics ingestion resiliency

Analytics persistent queue feature updated for better resiliency when both internal storage and offload is configured. The offload processes are now separated from the internal storage processes.

Replacement of management database operator

New Postgres operator on the management component: EDB.

EDB replaces the previous Postgres operator Crunchy.

The change to EDB results in some changes to the procedures for:

• Install.
• Upgrade.
• Backup, restore, and disaster recovery.
• Form factor migration.
• Two data center disaster recovery.
• Management database maintenance and monitoring.

Analytics persistent queue is enabled by default

The persistent queue feature is enabled by default on new v10.0.7.0 installations. If you are upgrading from v10.0.5.x or v10.0.6.0, the feature is automatically enabled during upgrade.

Cloud Pak endpoints are deprecated for API Connect

Beginning with version 10.0.7.0, API Connect no longer uses the Cloud Pak cpd routes for endpoints when deployed as a component of Cloud Pak for Integration. Instead, the component uses the typical default API Connect routes (or the custom endpoints configured in the CR). This change affects both new installations and upgrades from previous versions of the API Connect component in Cloud Pak for Integration.

If you want to deploy the API Connect component with Cloud Pak endpoints, or you need to preserve your existing endpoints (for example, to support existing bookmarks and automation features), you can enable the use of Cloud Pak endpoints when installing or upgrading the API Connect component in Cloud Pak for Integration 2023.4.1 or later. For more information, see Deploying on OpenShift and Cloud Pak for Integration or Upgrading on OpenShift and Cloud Pak for Integration.

Technical Preview: New API Connect Config Sync utility to replicate consumer-side catalog data

API Connect Config Sync is a utility that can be run either as a standalone binary, or as part of a Kubernetes cronjob to facilitate the unidirectional replication of consumer-side data (consumer organizations, members, apps, subscriptions, credentials) from a catalog in a source API Connect cluster to a corresponding catalog in a separate, target API Connect cluster.

For more information, see Using API Connect Config Sync to replicate consumer-side catalog data.

VMware: New apicup command to get node status from your local machine

The new apicup subsys status command can be run locally to get a node's status without requiring you to first SSH into the node.

Cert-manager upgraded to version 1.11.5

API Connect 10.0.7.0 uses cert-manager 1.11.5. If your environment requires a manual installation or upgrade of cert-manager, the instructions are included as part of the API Connect installation and upgrade procedures.

Update to enabling API governance on VMware

Previously, you had to enable the API governance microservice by updating an extra-values file. Now you can enable the microservice by running the following command:

apicup subsys set mgmt_subsystem_name governance-enabled=true

Where mgmt_subsystem_name is the name of the management subsystem that you are configuring.

The governance microservice is set to false by default.

Updates to the Developer Portal local backup process

The Developer Portal now displays local backups, as well as remote backups, when the following command is run:

kubectl get portalbackup

Previously, local backups were visible only inside the portal pod.

Note that the Developer Portal retains only three system backups, and three backups per site, for local backups. Running a new local backup will cause the oldest backup to be deleted.

Enhancements to the Developer Portal caching process

The Developer Portal now has enhanced in-memory caching, which increases the speed of the page accesses for the Developer Portal web sites. This improved site performance is particularly helpful for long running administrative tasks, such as enabling and disabling modules. However, it is possible to disable these enhancements if required; see Enabling Developer Portal feature flags on Kubernetes, Enabling Developer Portal feature flags on OpenShift and Cloud Pak for Integration, or Enabling Developer Portal feature flags on VMware for information.

New backup, restore, and disaster recovery documentation

For Kubernetes, OpenShift, and Cloud Pak for Integration, the disaster recovery section is merged with the backup and restore section, and the requirement to backup the subsystem YAML files and Kubernetes secrets is more prominent. See Backing up, restoring, and disaster recovery.

For VMware, there is a new management subsystem backup section for v10.0.7.0. See Backing up and restoring the management subsystem.

Upgrade improvements

Updates to the analytics microservices are redesigned, leading to reduced downtime during upgrades.

What's new for security practitioners

Support for new OIDC protocol in LinkedIn

If you create a user registry for API Connect using LinkedIn as your OIDC provider, note that LinkedIn updated their OIDC protocol. The changes affect how you configure the OIDC registry in API Connect, and are explained in Creating an OIDC user registry in API Manager and Configuring an OIDC user registry in Cloud Manager.

LDAP updates

• The UI for creating an LDAP registry now provides options for specifying the scope for "Search DN" (subtree, one level, and base) as you can in the CLI.
• You can now specify whether your LDAP is Microsoft Active Directory in the UI and with the CLI, to ensure that the directory is handled correctly in API Connect.

For more information, see Configuring an LDAP user registry in the Cloud Manager and Using the CLI to configure a shared LDAP user registry .

API key now supports multiple uses

When defining the API key timeout in Cloud Manager, you can additionally choose whether to allow an application to exchange the API key for an access token multiple times. For more information, see Configuring API key timeouts.

OpenShift: Support for FIPS configuration on the API Connect cluster

For new deployments, you can configure support for the Federal Information Processing Standards (FIPS) protocol on the cluster. You must configure FIPS support before installing the OpenShift cluster. For more information, see Configuring FIPS support.

Cloud Pak for Integration replaces IAM with Keycloak as the OIDC provider and user accounts might require updates

Starting with 2023.4 (API Connect 10.0.7.0), Cloud Pak for Integration uses Keycloak as an OIDC provider to authenticate users instead of IAM (Identity and Access Management). Due to differences in how Keycloak and IAM treat user names, you might need to manually merge duplicate user accounts to ensure users can log in after the upgrade. For more information, see Resolving duplicate users before upgrading on Cloud Pak for Integration.