Known limitations
This page describes the known limitations for API Connect Enterprise as a Service.
- Limitations to the updated schema editor for API definitions
- The Definitions section of the API editor for the API Manager and API Designer UIs was updated in
API Connect. However, the following limitations apply:
- You cannot rename the top level schema.
- The top level schema doesn't display the
minProperties
,maxProperties
, andenum
properties for the definition. - The
OneOf
,AllOf
, andEnum
schema structures aren't handled properly by the UI.
- API Designer with Local Test Environment (LTE) fails to log in using https://localhost with the error message "Incorrect username, password, or credentials"
- If you use the API Designer with the Local Test Environment and attempt to log in using the
localhost, the login fails. You can work around the issue by configuring API Designer credentials to
with the local host. Complete the following steps:
- Download and extract API Designer, then install the credentials file as explained in steps 1, 2, and 7 in Setting up the API Connect toolkit.
- Edit the designer_credentials.json file and configure the following settings:
"endpoint": "https://localhost"
"manager_endpoint": "https://localhost/manager"
"client_id": Client Id
The client ID displays on the console when you start the LTE platform-apic-lte. For more information, see Testing an API with the Local Test Environment.
"client_secret": Client Secret
The client secret displays on the console when you start the LTE platform-apic-lte. For more information, see Testing an API with the Local Test Environment.
- Start API Designer and log in with the LTE using https://localhost as the Host URL (the management endpoint).
- API Connect Enterprise as a Service requires your instance name to be 25 characters or less
- When you create a new instance of API Connect Enterprise as a Service, limit the instance name to 25 characters or less.
- API Connect Enterprise as a Service requires your IBMid to match your primary email address
- If your IBMid does not match your primary email address, you will encounter problems when you
try to sign into your service instance, where the sign-in page gets stuck in a loop and never signs
you in to API Connect.
- If you plan to provision or work with API Connect Enterprise as a Service, you must first update your IBMid (or create a new one) so that it matches your primary email address.
- If you already provisioned an instance of API Connect Enterprise as a Service using an
unsupported IBMid, do one of the following:
- Ask IBM Support to delete the instance before updating your IBMid and provisioning a new instance.
- Create a new IBMid with an email address that matches your primary email address, and then provision a new instance.
- API Designer might hang while activating a large imported API
- When you import a large API using API Designer and attempt to activate the API in the import
wizard, the process might hang. If you encounter this issue, you can work around the problem by
completing the following steps:
- On your local file system, locate the autoproduct file called API-NAME-auto-product_API-VERSION.yaml.
- Delete the file.
- In API Designer, edit the newly imported API and activate it by clicking the Online toggle.
In general, it is best practice to activate an API using the Online toggle or by publishing the API with the Publish option.
- API Connect Enterprise as a Service allows connections to endpoints for up to 127 seconds.
- Even if your API continues sending keepalive events, the connection will be closed after 127 seconds.
- API Designer on Windows: APIs that use WSDL might encounter errors, or fail to activate, publish, or update.
- If you activate, publish, or update a REST or SOAP API that uses a WSDL file, the operation might fail and never complete. Work around the issue by using the autopublish API feature in the API editor.
- Permission restrictions in the API Designer UI
- The API Designer UI
currently has the following permission restrictions:
- Developers that have been given only View permissions cannot see the Test tab in the API editor. For developers to be able to see the Test tab, they must be given a different permission level. For information about the default permission levels available, see API Connect user roles.
- Users with API-Drafts permissions, but who don't have any Sandbox Catalog permissions, cannot see the Test preferences in the Sandbox Catalog. For these users to be able to see the Test preferences, they must be given the Developer or Administrator role on the Sandbox Catalog.
- Deleted security requirements might remain in the API source
- Security requirements that are deleted from APIs in the API Designer and API Manager UIs, might still remain in the source. To work around this issue, click the Source icon in the API editor, and manually remove the security requirements.
- Cannot add comments to APIs by using the Source view in the API Designer and API Manager UIs
- Comments cannot be added to APIs in the API Designer and API Manager UIs by clicking the Source icon , and using the hashtag symbol.
- Changing Product visibility from Custom to Public doesn't automatically remove the Consumer organizations and groups
- In the API Designer and API Manager UIs, changing Product visibility from Custom to Public doesn't automatically remove the consumer organizations and groups, so the Product publish will fail. To work around this issue, manually remove all of the consumer organizations and groups.
- Stale cache can result in unexpected behavior in the API Manager UI
- Having a stale cache in your browser can result in unexpected behavior in the API Manager UI, such
as fetch errors, incorrect data being displayed, and blank pages. To work around this issue, complete the
following actions:
- Reload the browser window.
- If there is still an issue, clear the browser cache and then log back in to the UI.
- Try using a private browser window.
- If possible, try a different browser type.
- Back-end connections over public network only for API Connect Enterprise as a Service
- In API Connect Enterprise as a Service, back-end connections for invoke will only be supported over the public network.
- API Connect Enterprise as a Service does not support private endpoints for APIs
- In API Connect Enterprise as a Service, APIs will only be callable through the public network. Private endpoints are not supported.
- Analytics command restrictions
- The following
--mode analytics
commands work only when the flag--return_format
is set to eitherjson
oryaml
:clustermgmt:catAllocation
clustermgmt:catIndices
clustermgmt:catNodes
clustermgmt:catRecovery
clustermgmt:catShards
clustermgmt:catAliases
text/plain
:clustermgmt:getNodesHotThreads
clustermgmt:getNodesHotThreadsById
- Scale limits are used by default for the plan, collection, and operation rate and burst limits
- Scale limits are used by default for the plan, collection, and operation rate
and burst limits. Therefore, the following burst limit response headers are not used for the
converted burst limits:
"X-BurstLimit-Limit"
"X-BurstLimit-Remaining"
"X-RateLimit-Limit"
"X-RateLimit-Remaining"
Note that this limitation does not apply to assembly burst limits.
- Options menus in the Catalog might be hidden
- In a Catalog, in any of the different tabs such as Consumers, or Subscriptions, when clicking on the options icon the menu items might be hidden. To work around the issue, reload the page and the menu items will appear.
- Override plan rate limits are not displayed in the Endpoint tab
- Any override plan rate limits that have been added to your API for individual operations are not displayed in the API Endpoint tab in the UI. Only the plan rate limit is displayed.
- Consumer rate limit notifications are not available in Version 10
- The ability to configure notifications for applications so that API consumers are alerted when the usage of an API is nearing its rate limit is not available.
- The 'strict' SameSite cookie causes incorrect invitations to consumer organizations
- Using the 'strict' SameSite cookie might cause invitation links from emails to
send users to a registration page where they are asked to create a new consumer organization instead
of joining the organization they were invited to.
The workaround is to using the 'Lax' SameSite Cookie attribute.
- Limitations to the OpenAPI 3.0 support
- IBM API Connect supports the OpenAPI 3.0 specification, with some limitations. For information about what is supported, see OpenAPI 3.0 support.
- A GraphQL API that contains a
graphql-input-type-cost
rate limit fails to publish - A GraphQL API created in releases
earlier than IBM API Connect
Version 10.0.3.0 might contain a
graphql-input-type-cost
rate limit, which is no longer supported. If you attempt to use the automatic activation mechanism to publish the API, or manually add the API to a Product and attempt to publish that Product, the publish operation will fail. You can resolve this problem in either of the following ways:- Remove the rate limit definition from the OpenAPI source for the API. For example, if the source
is in YAML format, remove the following lines:
- name: graphql-input-type-cost operation: consume
- Edit the source for the Product and define a
graphql-input-type-cost
rate limit in all of the Plans that include the API.Note: You can edit only a manually created Product, not a Product that is generated by the automatic activation mechanism.
- Remove the rate limit definition from the OpenAPI source for the API. For example, if the source
is in YAML format, remove the following lines:
- Options menu is missing from items on the Product list pages
- If, in the API Manager user interface, you open the Product list page in either a Catalog or a Space, the options menu icon might be missing from alongside all of the listed Products. To resolve this problem. reload the page.
- A unique email address is required for all Developer Portal accounts
- Remember that every account in
the Developer Portal,
including across different user registries for the same site, must have a unique email address,
including the site Admin account. The default email address for the Admin account is the email
address of the Catalog owner. It is not possible to create a Developer Portal user
account (and associated consumer organization) with the same email address as the Admin account (or
that of the Catalog owner if their email address is different). Any attempts to create an account
with the same email address results in the new account not functioning correctly, and returning the
following error message when trying to log in to the Developer Portal:
A user already exists with this email address
.For example, if you configure three different user registries for a particular Developer Portal site, the email address alice@acme.com can be used to log in to the site from only one of the user registries.
- Configured user registries incorrectly allow the unsupported
external_group_mapping_enabled: true
option - API Connect does not support a configured user registry that is based on a
registry where
external_group_mapping_enabled
is set totrue
. Under certain conditions you can create a configured user registry based on a user registry with the unsupported option; if this happens you will encounter errors while onboarding users.You can create and update user registries with the
apic user-registries:create
andapic user-registries:update
commands. Both commands accept theexternal_group_mapping_enabled
option. If you then create a configured user registry with theconfigured_catalog_user_registries:create
command, the results depend on how you set theexternal_group_mapping_enabled
option in the user registry.Suppose you create a user registry (for example, call it UR) and you want to create a configured user registry (call it CUR) based on UR. Consider the following scenarios:
- You create UR with the
external_group_mapping_enabled: false
. In this case, you can create your CUR based on that registry. - You create UR with
external_group_mapping_enabled: true
. In this case, you cannot base a configured user registry on it, so the creation of CUR fails. - You create UR with
external_group_mapping_enabled: false
and create CUR based on it, as in scenario 1. However, you then update UR and setexternal_group_mapping_enabled: true
. In this case, you have a problem.The operation described in scenario 3 is not currently blocked, so you will successfully create an unsupported CUR and then run into errors when you attempt to onboard users. To resolve the issue, complete one of the following workarounds:- Update UR (the base user registry) and set
external_group_mapping_enabled: false
. - Leave UR with
external_group_mapping_enabled: true
but delete the configured registry (CUR) that is based on it.
- Update UR (the base user registry) and set
- You create UR with the
- A Product republish, with the Preserve Subscriptions option, fails after a consumer organization group has been removed from the visibility settings
- If you remove a consumer organization group from the custom visibility settings for a Product, and that group contains a consumer organization with an application that is subscribed to the Product, an attempt to republish the Product with the Preserve Subscriptions option will fail even if that consumer organization is then added to the custom visibility settings individually.
- For a secured GraphQL API, GraphQL subscriptions cannot be tested by using the Test tab in the user interfaces
- For a GraphQL API that is secured by client ID, GraphQL subscriptions
cannot be tested by using the Test tab in the API Designer or API Manager user interfaces. The
API can still be published and used in production.You can test GraphQL subscriptions in either of the following alternative ways:
- Remove client ID security from the API, for testing purposes, then use the Test tab.
- Use an external test tool.
- A published API whose assembly contains a catch block with an invalid policy will now correctly fail to republish
- Previously, policies in an assembly catch block were not validated, so if an incorrect policy configuration was coded in the OpenAPI source for an API, within an assembly catch block, the API would still publish successfully. Now, policies in an assembly catch block are validated, so such an API will fail to republish and will first need to be corrected.
- An existing user cannot be added to a Space
- If you attempt to add an existing user
to a Space, the operation cannot be completed because the Create button is
not enabled. Instead, use the invitation mechanism. For details, see Managing Space membership.Note: The invited user must use the Sign in option on the activation form, rather than completing the registration details and using Sign up.
- Adding an
operation-switch
policy to an API assembly produces an incorrect warning message - If you add a Version 2.0.0
operation-switch
policy to an API whose gateway type is DataPower® API Gateway, the API Setup page on the Design tab displays an incorrect warning stating that the policy is not valid for the gateway type. This warning message can be ignored. - Simultaneous editing of the same API by multiple users might result in changes being overwritten
- If one user saves changes to an OpenAPI 3.0 API, another user who has the same API open in the API editor might have their changes overwritten.
- Validate policy limitations when GraphQL response contains a GraphQL server error
- When a GraphQL response contains a GraphQL server error and no
data, the assembly Validate policy generates an error on the missing data and overwrites the
payload. When the response contains partial data and an error, the assembly Validate action
validates the data and overwrites the payload. To work around this limitation, use the condition
$not($exists(message.body.errors))
in an assembly switch condition to skip the assembly Validate policy when the response contains errors.
- GraphQL API test fails when the generated example query contains variable definitions
- If, when testing a GraphQL API
in the Test tab, you use the Example dropdown menu to
generate a Small, Medium, or
Large query, and the generated query contains variable definitions, those
variables are not added to the HTTP request, which then fails with the following
error:
Parser failed with error: syntax error, variables type is neither a JSON object nor null.
To resolve this problem, modify the query to remove the variable definitions before re-sending the HTTP request.
- Changes to parameters in an API definition aren't reflected on the Test tab
- If you add or remove parameters in an API definition on the Design tab and then open the Test tab, the changes might not be reflected immediately. If you are using the API Manager user interface, either restart the browser or clear the browser cache and cookies, if you are using the API Designer user interface, restart the application. Then reopen the Test tab in the API definition.
- An OpenAPI definition that contains regular expression syntax fails validation
- IBM API Connect supports the GO regular expression
syntax. When you import an OpenAPI definition into the API Designer or API Manager user interfaces, or
validate one with the
apic validate
, the validation will fail if the OpenAPI source contains unsupported regular expression syntax, with errors that includeDoes not match format 'regex'
; for example:- Must validate at least one schema (anyOf) (context: (root).paths./example/types.post.parameters.0.schema.properties.items, line: 0, col: 0) - Must validate one and only one schema (oneOf) (context: (root).paths./example/types.post.parameters.0, line: 46164, col: 21) - paths./example/types.post.parameters.0.schema.properties.items.properties.pattern Does not match format 'regex' (context: (root).paths./example/types.post.parameters.0.schema.properties.items.properties.pattern, line: 0, col: 0)
- Incorrect UI behavior if API changes are not saved before creating a new API version
- If you make changes to an API definition and then attempt to create a new API version without first saving your changes, you are not prompted to save your changes until after you have completed the new version creation operation. If you click OK in the prompt, your new version is created but your original changes are lost; to create your new version and retain your original changes, you should click Cancel in the prompt, then click Save to save your original changes.
- Login to the API Manager user interface might fail with error 431 if the browser has a large number of cookies
- Attempts to login to the API Manager user interface might fail if the HTTP header or cookie size is larger than 16 KB, a limitation that is imposed for security reasons. To resolve this problem, either clear the browser cache and cookies, or open a private window, then retry.
- Pagination setting is global across the API Connect user interfaces
- If you set the Items per page value on any page in the API Manager user interface, that setting is then applied to all pages in both user interfaces in the same browser session. If you want to set the value separately for a specific page, open it in a private browser window. Such a setting in a private browser window is specific to that window and is lost when the window is closed.
- Field validation for the Client security policy is incorrect
- When configuring a Client Security policy in an API
assembly in the API Designer
or API Manager user
interfaces, there is the following incorrect validation behavior:
- The ID Name field is required, but the API definition can be saved without entering a value in the field.
- The Secret Name field is required only when the Secret Required option is selected, but the user interface indicates that the Secret Name field is required regardless. Furthermore, when the field is required, the API definition can be save without entering a value.
- If the Authenticate Client Method is set to Third party, the User Registry Name field is required, but the API definition can be saved without entering a value in this field.
- User interfaces are not supported in Microsoft Edge
- The API Manager and Cloud Manager user interfaces are not supported in the Microsoft Edge web browser. To work in the user interfaces, use a different browser.
- Changes to an OAuth provider are not reflected in the consuming APIs
- If you modify the endpoints, scopes, or grants for an OAuth provider, the APIs that consume that OAuth provider will be affected. You might need to update the consuming APIs accordingly.
- No option to bulk delete APIs or Products
- In the API Designer and API Manager user interfaces, there is currently no option to delete multiple APIs or Products in a single operation; in the user interfaces, APIs and Products must be deleted individually. However, you can bulk delete APIs and Products by using the REST API or CLI interfaces.
- Cannot publish an imported API that was generated with IBM API Connect Version 5.0 LoopBack®
- If
you import an API YAML file that was generated with IBM API Connect Version
5.0
LoopBack, attempts to
publish the API fail. Before publishing, remove the catalogs section, and the invoke policy named
tls-invoke-profile
, from the YAML source of the API definition; for example:catalogs: apic-dev: properties: runtime-url: $(TARGET_URL) sb: properties: runtime-url: 'http://localhost:4001
- Cannot publish an API that has duplicate security definition entries
- The API Designer and API Manager user interfaces allow you to add duplicate security definitions to an API. However, attempts to publish the API will fail with OpenAPI validation errors. Ensure that the security definitions in an API are unique.
- Logging in to the API Connect user interfaces fails when using the Safari web browser
- If you are using the Safari web browser and a Basic Authorization header exists for the same DNS domain in which API Connect is running, attempts to log in to the API Connect user interfaces, or to sign up by using an activation link, fail. To avoid this problem, use an alternative web browser.
- An OAuth provider fails if the resources that it references aren't enabled in the Catalog
- If you enable an OAuth provider in a Catalog then any resources that it references, such as API user registries or TLS client profiles, must be enabled in the same Catalog; if not, then although the OAuth provider might publish successfully it will fail at run time. For information on enabling resources in a Catalog, see Creating and configuring Catalogs.
- Redact conditions within
switch
,operation-switch
, orif
policies might not execute after converting to DataPower API Gateway -
If an API Connect v5-compatible
redact
policy is found within aswitch
,operation-switch
, orif
policy, the migration utility does not move theredact
policy to the beginning or end of the assembly. The difference in the response between API Connect v5 and DataPower API Gateway may prevent data from being redacted in the DataPower API Gateway.For example, if an assembly includes a
switch
policy containing four redact conditions followed by aninvoke
policy, each redact condition redacts the response data. After porting to the API Gateway, the redact conditions remain inside theswitch
policy and target themessage.body
property for redaction. These redactions fail to execute because themessage.body
property has not yet been retrieved by theinvoke
policy. To correct this problem, you must move theinvoke
policy before theswitch
policy in the assembly. - Redact on invalid XPath fails after converting to DataPower API Gateway
- A
redact
policy containing an XPath with a trailing slash is converted by the migration utilityapicm archive:port-to-apigw
command without removing the slash. This path is invalid. When the API containing this policy is called, anassembly redact
error is generated. - "Test" tab's Trace feature displays blank policies list in Firefox
- When you create an API, you can invoke it and debug its execution using the Test tab. The Test tab shows the API's response and includes a subtab where you can run a trace on the API's translation flow. In Firefox, the Trace tab's list of policies is empty. Use Chrome to debug your API so you can see the policies list in the trace.
- Analytics REST API support for multiple query parameters
- It is not possible to use multiple query parameters for the same nested API event record field
when making calls to the analytics REST API. For
example:
/cloud/events?response_http_headers[X-Client-IP]=not:10.51.11.183&response_http_headers[X-Client-IP]=not:10.51.11.184
- Limitations to support for JSONata
- The DataPower API Gateway
support for JSONata notation has the following limitations and restrictions.
-
You cannot extract or redact content from the same source that is defined in the root. For example, if the root is defined as
message.body.a
, the action fails if the content to extract or redact is defined as the entire input.As a workaround, remove the last element of the root and define that element as the content to extract or redact. For the previous example, define root as
message.body
and the content asa
. - New JSON objects cannot be constructed from the capture field that is specified in an Extract policy. As a
workaround, use the transform expression
$merge([])
to construct the empty object. You can then specify more extracts as needed for key-value pairs. - If soft linked copies of a field exist in different locations, an Extract or Redaction policy can cause content
from all of the linked fields to be extracted or redacted. As a workaround for the Extract policy, use the
$merge($spread($))
object function to construct new, unlinked objects and arrays. For example, the following transform expressions construct unlinked copies of the fieldc
.\"a\": $merge($spread($.c) \"b\": $merge($spread($.c)
-