New in 10.6.0

The IBM® DataPower® Gateway 10.6.0 offers the following new features and enhancements.

For a list of resolved APARs, see Fix packs for DataPower Gateway 10.6.0.x.

Attention: In the next LTS, you will not be able to access the WebGUI even if you modify the browser URL. Access to the WebGUI in this manner will remain in the future 10.6.0 fix packs.
  • New in 10.6.0.8
    The following features are new to customers who upgrade to 10.6.0.8.
    • Upgraded SafeNet Luna Network HSM client to 10.9
    • Added support to collect request and response data to the invoke policy
  • New in 10.6.0.6
    The following features are new to customers who upgrade to 10.6.0.6.
    • Added support for CCM and ChaCha ciphers to TLS profiles
    • Added support to run diagnostics commands with event triggers
    • Added notification of password expiry for local user accounts
    • Added the read-only last updated property to local user accounts
    • Added OpenTelemetry integration support to the multi-protocol gateway and web service proxy
    • Add compression support to the OpenTelemetry exporter
    • Added support to manage HTTP requests headers to include in OpenTelemetry spans
    • Added support to log the activity in CLI sessions
    • Added support to control the space for error logs that IBM MQ v9+ queue managers create
    • Added support to set the minimal message structure version to validate requests to IBM MQ v9+ queue managers
  • New in 10.6.0.5
    The following features are new to customers who upgrade to 10.6.0.5.
    • Added support to include logs for file-based log targets in error reports
    • Added support to secure connections to ICAP servers
  • New in 10.6.0.4
    The following features are new to customers who upgrade to 10.6.0.4.
    • Added support to the SSH server profile to control which host key algorithms to support
    • Added support to control the space for FFST files that IBM MQ v9+ queue managers create
  • New in 10.6.0.3
    The following features are new to customers who upgrade to 10.6.0.3.
    • Added support to the API security token manager to set the interval to run the cleanup for expired tokens
  • New in 10.6.0.2
    The following features are new to customers who upgrade to 10.6.0.2.
    • HSM-equipped appliances updated to support FIPS 140-3
    • Added support to the TLS client profile to control whether to ignore TLS peers that do not send the close_notify alert on shutdown
    • Added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivity
    • Added TLS 1.3 support to secure HTTP/2 connections with the HTTPS handler
    • Added offset support to the JSONata $toMillis function
  • New in 10.6.0.1
    The following features are new to customers who upgrade to 10.6.0.1.
    • Added support to the TLS server profile to control whether to ignore TLS peers that do not send the close_notify alert on shutdown
    • Added support to run actions that are related to the probe without the need to access the GUI
    • Added support for the sha256-rsa-MGF1 algorithm
    • Added support for more JSONata functions for use by assembly actions
    • Added an extension function to verify whether an action in an assembly is an assembly action or a processing action
    • Extended XSLT extensions that manage variables and message payload in JSON for custom XSLT processing by the API gateway
    • Extended the GatewayScript context.reject() API to support a custom HTTP status code and reason phrase
    • Added support to control which TLS profiles secure connections to retrieve WSDL files
  • New in 10.6.0.0
    10.6.0.0 includes all new features in 10.5.0.11 and earlier fix packs. 10.6.0.0 replaces the 10.5.4 CD release.
    • Added support for OpenTelemetry integration
    • Added support for OIDC authentication to RBM
    • Enhanced GitOps integration
    • Added support to disable TLS renegotiation completely
    • Added support to the API gateway to configure an LDAP connection pool and flush its cache
    • Added support for more JSONata functions for use by assembly actions
    • Added action and party that last modified an application or client key to API subscriber status

For more information about the new features, see the linked information.

10.6.0.8

The following information is a summary of the new features in 10.6.0.8.

Upgraded SafeNet Luna Network HSM client to 10.9
When you install this firmware version, the system upgrades the SafeNet Luna HSM client to 10.9. If you install an earlier firmware version, the client version changes to 7.2. Because these versions use different algorithms, the Luna HSM partition changes to the down operation state and logs the Failed to configure the Luna HSM partition message. In this case, regenerate the Luna client certificate and reregister it with the Luna server for NTLS connections. For more information, see Creating Luna HSM client key-certificate pairs and Registering a DataPower Gateway as a Luna HSM client.
Limitations:
  • When you use a key on the Luna HSM to rsa-oaep-mgf1p encrypt, only SHA1 digest is supported
  • When you use a key on the Luna HSM to rsa-oaep encrypt, the OAEP parameter cannot be longer than 64 bytes
  • When you use a key on the Luna HSM to rsa-oaep encrypt, the OAEP and MFG digest algorithms must match
Added support to collect request and response data to the invoke policy
When you configure an invoke policy, you can collect request and response data for analytics. By default request and response data is not collected for analytics. For more information, see Adding an invoke assembly action to call another service from within your assembly.

10.6.0.6

The following information is a summary of the new features in 10.6.0.6.

Added support for CCM and ChaCha ciphers to TLS profiles
When you configure either a TLS client profile or a TLS server profile, you can use the following CCM and ChaCha ciphers. 
[0xC09C] AES128_CCM
[0xC09D] AES256_CCM
[0xC09E] DHE_RSA_AES128_CCM
[0xC09F] DHE_RSA_AES256_CCM
[0xC0A0] AES128_CCM8
[0xC0A1] AES256_CCM8
[0xC0A2] DHE_RSA_AES128_CCM8
[0xC0A3] DHE_RSA_AES256_CCM8
[0xC0AC] ECDHE_ECDSA_AES128_CCM
[0xC0AD] ECDHE_ECDSA_AES256_CCM
[0xC0AE] ECDHE_ECDSA_AES128_CCM8
[0xC0AF] ECDHE_ECDSA_AES256_CCM8
[0xCCA8] ECDHE_RSA_CHACHA20_POLY1305
[0xCCA9] ECDHE_ECDSA_CHACHA20_POLY1305
[0xCCAA] DHE_RSA_CHACHA20_POLY1305
Added support to run diagnostics commands with event triggers
When you configure event triggers for a log target, you can set whether to start the command sequence in global or login mode. For more information, see Adding event triggers to a log target.
Global mode
In the CLI, you enter global mode by entering the configure terminal command. When you start in global mode, you cannot enter the exit;diagnostics; sequence to enter diagnostics mode.
Login mode
In the CLI, you typically enter login mode. From this mode, you enter the following modes.
  • Global mode by entering the configure terminal command.
  • Diagnostics mode by entering the diagnostics command.
As a security enhancement, you can set the access profile to associate the security context for the configuration data in the domain. The access profile applies only when the permission mode for the domain is set to Specific mode. When the permission mode is set to either Domain or Global mode, the access profile for this trigger is ignored. For more information, see Creating application domains.
Added notification of password expiry for local user accounts
When you configure password expiry in the RBM password policy for local user accounts, you set the expiry notification. When the expiry notification period is active, the following processing occurs.
  • At log in to the DataPower Gateway, a message is written to the log.
  • At log in to the DataPower CLI, a message is also written to the console. This message states how long the user has until they must change their password.
  • At log in to the DataPower GUI, currently no notification is presented to the user that states how long the user has until they must change their password.
For more information, see Defining the password policy.
Added the read-only last updated property to local user accounts
The configuration of each local user account includes the time when the account password was last changed. The system uses this value for expiry notification when the RBM password policy defines account expiry. With account expiry and the password expires, the user is forced to change their password.
Added OpenTelemetry integration support to the multi-protocol gateway and web service proxy
When you configure a multi-protocol gateway or web service proxy without the wizard, you can configure OpenTelemetry integration.
Add compression support to the OpenTelemetry exporter
When you configure an OpenTelemetry exporter, you can control whether to export OLTP spans with gzip compression. By default, OLTP spans are exported without compression. See Configuring the exporter for an OpenTelemetry integration point.
Added support to manager HTTP requests headers to include in OpenTelemetry spans
When you configure an instance of an OpenTelemetry object, you can control the HTTP request headers to include in spans. To manage the HTTP request headers to include in spans, you define PCREs to match against request headers to included and then define PCREs to match against included headers to exclude. By default, no HTTP request headers are included in spans. For more information, see Defining an integration point for OpenTelemetry.
Added support to log the activity in CLI sessions
During problem-resolution with IBM Support, the clirecording log target in the default domain can capture the interactive data for the CLI session. When you enable CLI session logging, the command and its output are written also to this log target up to the maximum number of lines. You do not need to create or enable this log target. For more information, see CLI session logging.

After you establish a CLI session, you can use the global clirecord command and specify the maximum number of lines to write to the log target for each command. You can enter a value in the range 1 - 9999, where the default value is 1000. A value of 0 writes no data to the log target, which effectively disables logging. For more information, see clirecord.

Added support to control the space for error logs that IBM MQ v9+ queue managers create
When you configure an IBM MQ v9+ queue manager, you can modify the maximum space that the queue manager uses for error logs. To define the space for error logs, you set the size of the file in bytes and the number of rotations. By default, the queue manager uses 3 rotations of 33,554,432 byte (32 KB) files. For more information, see Configuring an IBM MQ queue manager.
Added support to set the minimal message structure version to validate requests to IBM MQ v9+ queue managers
When you configure an IBM MQ v9+ queue manager, you can specify the compatibility mode for requests to the queue manager, where the minimum required structure version is used. This setting is for message validation. By default, validation is against the version 3 structure. For more information, see Configuring an IBM MQ queue manager.

10.6.0.5

The following information is a summary of the new features in 10.6.0.5.

Added support to include logs for file-based log targets in error reports
When you configure a file-based log target, you can define whether to include its log files in any generated error report. For more information, see Creating a log target to write entries to a local file.
Added support to secure connections to ICAP servers
When you add an antivirus action to a processing policy, you can specify the TLS client profile that secures the connection with the ICAP server. For more information, see Adding an action to send messages to a virus scanner.

10.6.0.4

The following information is a summary of the new features in 10.6.0.4.

Added support to the SSH server profile to control which host key algorithms to support
When you modify the SSH server profile, you can add which host key algorithm the server supports. Host key algorithms are the algorithms to sign and verify the authenticity of an SSH server's host key. An empty list indicates that the server supports all algorithms. By default, the SSH server profile supports all algorithms. For more information, see Modifying the SSH server profile.
Added support to control the space for FFST files that IBM MQ v9+ queue managers create
When you configure an IBM MQ v9+ queue manager, you can define the maximum space in KB that the queue manager can use for the FFST (first-failure support technology) files. By default, FFST captures 3 rotations of 500 KB files. For more information, see Configuring an IBM MQ queue manager.

10.6.0.3

The following information is a summary of the new features in 10.6.0.3.

Added support to the API security token manager to set the interval to run the cleanup for expired tokens
When you configure the API security token manager in an application domain, you can set the interval in minutes to run the cleanup for expired tokens. The cleanup task applies to only the internal token store. By default the task runs every 3 hours. For more information, see Defining the API security token manager.

The following information is a summary of the new features in 10.6.0.3.

10.6.0.2

The following information is a summary of the new features in 10.6.0.2.

HSM-equipped appliances updated to support FIPS 140-3
The component firmware for the Cavium HSM card is updated to support FIPS 140-3 level 3. Before the update, HSM-equipped appliances supported FIPS 140-2 level 3.
Added support to the TLS client profile to control whether to require TLS peers to send the close_notify alert on shutdown
When you configure a TLS client profile, you can control whether to require TLS peers to send the close_notify alert on shutdown. The close_notify alert at the end of a TLS handshake is mandatory. However, some peers do not send the close_notify alert, which abruptly ends the TLS connection. For more information, see Creating a TLS client profile.
Added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivity
When you configure an IBM MQ v9+ queue manager, you can modify the behavior of OCSP and CRL checking for TLS connectivity. The default behavior for OCSP and CRL checks for TLS connectivity is as follows. For more information, see Configuring an IBM MQ queue manager.
  • Attempt an OCSP security check against the servers in the AuthorityInfoAccess (AIA) certificate extension.
  • When the revocation status of a certificate cannot be determined from an OCSP server, the connection is closed with an error.
  • Do not run a CDP revocation check against the servers in the CrlDistributionPoint (CDP) certificate extension.
  • Attempt to load the configuration for certificate revocation from the CCDT file, and run the check as configured. If the CCDT file cannot be opened or the certificate cannot be validated, the MQCONN call fails.
Added TLS 1.3 support to secure HTTP/2 connections with the HTTPS handler
When you configure an HTTPS handler to secure HTTP/2 connections, you can secure connections with TLS 1.3 ciphers.
Added offset support to the JSONata $toMillis function
When you use the JSONata $toMillis function, you can specify the timestamp with an offset instead of in Coordinated Universal Time. For more information, see Supported JSONata Date/Time functions.

10.6.0.1

The following information is a summary of the new features in 10.6.0.1.
Added support to the TLS server profile to control whether to require TLS peers to send the close_notify alert on shutdown
When you configure a TLS server profile, you can control whether to require TLS peers to send the close_notify alert on shutdown. The close_notify alert at the end of a TLS handshake is mandatory. However, some peers do not send the close_notify alert, which abruptly ends the TLS connection. For more information, see Creating a TLS server profile.
Added support to run actions that are related to the probe without the need to access the GUI
On the DataPower Gateway, you can use the commands in debug probe mode to run actions that are related to the probe. The probe is used to capture data for transactions that a service processes that you can use to help troubleshoot a problem. For more information, see Debug probe commands.
Added support for the sha256-rsa-MGF1 algorithm
When you configure the sign action, you can specify the asymmetric sha256-rsa-MGF1 algorithm. When a message is signed with this algorithm, the verify action can verify this RSA-signed message.
Added support for more JSONata functions for use by assembly actions
When you use JSONata in assembly functions, you can now use the following functions from the JSONata Date/Time and Numeric function libraries.
Added an extension function to verify whether an action in an assembly is an assembly action or a processing action
When you define custom XSLT processing for an API gateway, you can use the apigw:is-assembly-action() extension function to verify whether the action in an assembly is an assembly action or a processing action. Returns true when an assembly action. Otherwise, returns false when an assembly action. For more information, see apigw:is-assembly-action().
Extended XSLT extensions that manage variables and message payload in JSON for custom XSLT processing by the API gateway
When you create the stylesheet for an XSLT assembly action, the following XSLT extensions are enhanced to support JSON variables and message payloads.
apigw:set-payload extension element
Added the jsonx2json and parse-string attributes. The jsonx2json attribute specifies whether to convert the payload from JSONx to a JSON object. The parse-string attribute specifies how to parse the payload. For more information, see apigw:set-payload.
apigw:read-payload()
Added the stringify parameter. This parameter specifies whether to read the payload as a string instead of an XML or JSON document. For more information, see apigw:read-payload().
apigw:set-variable extension element
Added the jsonx2json and parse-string attributes. The jsonx2json attribute specifies whether to convert the variable value from JSONx to a JSON object. The parse-string attribute specifies to parse and convert the variable value to a JSON object. For more information, see apigw:set-variable.
apigw:get-variable() extension function
Added the stringify parameter. This parameter specifies whether to get the variable value as a string instead of an XML or JSON document. For more information, see apigw:get-variable().
Extended the GatewayScript context.reject() API to support a custom HTTP status code and reason phrase
When you create a custom GatewayScript that uses the context.reject() API, you can add your own custom HTTP status code and reason phrase. For more information, see context.reject().
Added support to control which TLS profiles secure connections to retrieve WSDL files
When the URL to retrieve the file starts with https://, the retrieval uses the system-wsgw-management-loopback-ua user agent in the default domain. By default, this user agent uses the system-wsgw-management-loopback TLS proxy profile, which is predefined and you cannot modify its cryptographic artifacts (profiles).

As the TLS proxy profile is deprecated, you can modify the system-wsgw-management-loopback-ua user agent in the default domain to modify the TLS profile policy to use TLS client profiles. When you modify the TLS profile policy, make sure that you delete the entry for the deprecated TLS proxy profile. For more information, see Adding a TLS profile policy.

10.6.0.0

The following information is a summary of the new features in 10.6.0.0. 10.6.0.0 includes all new features in 10.5.0.11 and earlier fix packs. 10.6.0.0 replaces the 10.5.4 CD release.
Added support for OpenTelemetry integration
On the DataPower Gateway, you can configure integration points for OpenTelemetry. This support is primarily for API Connect integration. For more information, see OpenTelemetry integration.
Added support for OIDC authentication to RBM
When you configure RBM settings, you can define OIDC as the authentication method. This authentication method securely connects to an OIDC identity endpoint to retrieve public keys for OIDC validation. For more information, see Defining RBM for OIDC authentication.
Enhanced GitOps integration
  • In the default domain, you can define GitOps variables. GitOps variables are the vector of global name-value pairs for use in GitOps templates. For more information, see Managing GitOps variables for GitOps templates.
  • While you are creating a GitOps template entry, you can test what the template entry does and whether it works as expected. For more information, see Managing GitOps templates.
  • When you use GitOps, you can view the status for GitOps and GitOps template operations. These status providers provide the necessary details to help in troubleshooting. For more information, see Viewing status for GitOps and GitOps template operations.
  • Added the global gitops-remove-template command to trigger the removal of a template from the Git repository that is configured in the GitOps object. For more information, see gitops-remove-template.
Added support to disable TLS renegotiation completely
When you configure a TLS profile, you can define the profile to disable TLS renegotiation completely. For more information, see TLS connections.
Added support to the API gateway to configure an LDAP connection pool and flush its cache
When you configure an API gateway, you can assign an LDAP connection pool to connect to the LDAP server. Each API gateway maintains a cache for its LDAP connection pool. For operational reasons, you might need to clear the data in the LDAP cache. For more information, see Configuring an API gateway.
Added support for more JSONata functions for use by assembly actions
When you use JSONata in assembly functions, you can now use the $now() functions from the JSONata Date/Time function library.
Added action and party that last modified an application or client key to API subscriber status
When you view information about API subscribers, the data includes the action and party that last modified the application or client key. For more information, see Viewing shared storage for API subscribers.