Known limitations and restrictions

Known limitations and restrictions exist in 10.5.0.

Known limitations
Restrictions

Known limitations

The following table lists the known limitations. When a limitation is removed, that row contains the release about when resolved.

Table 1. Known limitations
Limitation	When resolved
If you cannot login to a tenant after a secure restore operation or running the reinitialize command, complete the following steps on the landlord. Access the configuration that defines the tenant. Change Administrative state to Off, and click Apply. Change Administrative state to On, and click Apply.
When you create the gateway-peering instance for API rate limits and the peering instance is in cluster mode, the following restrictions and limitations apply. These restrictions and limitations do not apply when the peering instance is in standalone or peer mode. The peering instance must contain at least six nodes, where three nodes must be primary nodes. After the creation of each node, wait until the cluster auto-configuration operation completes. When complete, you can create the next node in the peering instance. You can use the following artifacts to verify the completion of the operation. View the logs. View information that is provided in the gateway-peering cluster status provider.
If the rate limit configuration is not enabled, the following behavior occurs. All subsequent scale limits generate errors. The transaction fails.
To secure connections to an Oracle data source, the following TLS protocol versions are supported. The default protocol version is TLSv1.2. You can override the protocol version with the `CryptoProtocolVersion` configuration parameter. For ODBC, TLSv1.2 and TLSv1.3. For JDBC, TLSv1.2. To specify TLSv1.2 and TLSv1.3, specify `TLSv1.2,TLSv1.3` as the value for the `CryptoProtocolVersion` configuration parameter.
TLSv1.3 is unsupported in the TLS client profile for the analytics endpoint.
Although you configured a proxy policy for the API gateway, the proxy policy does not apply to the analytics endpoint if it uses the Kafka protocol. The proxy policy is applied to the analytics endpoint only when it uses the HTTP or HTTPS protocol.
When you create SafeNet Luna Network HSM client key-certificate pairs on the DataPower® Gateway, you must specify values in the following properties although the interfaces require only the Common name (CN) property. Common name (CN) Country name (C) State (ST) Locality (L) Organization (O) When not defined, the `Issuer` and `Subject` contain the following values based on the undefined property. `C=CA` `ST=Ontario` `L=Ottawa` `O=My company`	10.5.0.18
Tenants never use the connection details from the landlord, and these details must match. After you configure a tenant and you edit the details on the tenant, edit the details on the landlord to match the tenant. After you secure-restore a tenant, edit the details on the tenant to match the landlord.	10.5.0.9

Known limitations to the API gateway support for GraphQL exist. For this list, see GraphQL limitations.

Restrictions

The following permanent restrictions apply.

For HSM-equipped appliances with component firmware 2.09-0702 and later, the following restrictions apply.
- The key transport algorithm must be rsa-oaep-mgf1p or rsa-oaep.
- OAEP parameters are unsupported.
- The OAEP digest algorithm cannot be md5 and ripemd160.
- For the rsa-oaep key transport algorithm, the OAEP digest algorithm and the MGF algorithm must match.
For HSM-equipped appliances with component firmware 2.04-49 and earlier, the key transport algorithm must be rsa-1_5.
You cannot securely move keys from the HSM of 8436-53X appliance to either 8441-53X or 8496-53X appliances. You can securely move keys between 8441-53X and 8496-53X appliances.
FIPS cryptographic mode is no longer available. The DataPower main task always operates in permissive mode. Even when configured in FIPS mode before an upgrade, the upgrade changes the mode to permissive.
SSLv3 is unsupported in the TLS profiles for the API Connect gateway service.