What’s new in 7.6

IBM® DataPower® Gateway 7.6 offers the following new features and enhancements.

For more information, see the linked topics in IBM Knowledge Center.

Next-generation hardware platform: Type 8441 appliance

The new hardware platform Type 8441 appliance provides increased capacity, performance, and serviceability to meet infrastructure requirements. For information about how to install and configure, see the installation documentation.

Create API Connect tenants on a physical DataPower Gateway

On a physical DataPower Gateway with the Tenant feature, you can create API Connect tenants. A DataPower Gateway with tenants provides runtime isolation and upgrade flexibility to isolate mission-critical digital workloads from traditional business workloads without business disruption. Each tenant uses a tenant-specific firmware image. [Learn new information]Learn more...

Enhanced security

OAuth 2.0 and OIDC support
Consent lifetime for an OAuth access-refresh token pair
You can set the maximum consent lifetime for an OAuth access-refresh token pair before the application must gather consent again. With this support, the access_token and refresh_token lifetime will not exceed the consent limit regardless of how many times an application is refreshing its access. [Learn new information]Learn more...
OAuth access token as a one-time use token
You can set an OAuth token access token as a one-time use token. One-time use tokens require the token cache or the distributed cache. With this support, the DataPower Gateway supports the one-time use access_token. When the verbose option or the probe is enabled, the access_token payload shows the one_time_use claim with a value of true. [Learn new information]Learn more...
Initial token generation time
With this support, the DataPower Gateway tracks the first time the permission is granted regardless of how many times the application has refreshed its permission. This information is provided in the access_token payload as the consented_on claim. The value is in UNIX epoch format and indicates when consent was given. [Learn new information]Learn more...
OAuth grant type that is used to receive the permission
With this support, the DataPower Gateway tracks the OAuth grant_type that is used to negotiate the permission. When the verbose option or the probe is enabled, this information is provided in the access_token payload as the grant_type claim.
When the refresh token will expire
With this support, the DataPower Gateway provides when the refresh_token will expire in the access_token payload as the refresh_token_expires_in claim. [Learn new information]Learn more...
Added the scope_override_request operation
Use the scope_override_request operation in a stylesheet to override the scope that is requested by the application. This operation is part of custom OAuth processing to modify the default behavior of the OAuth client. [Learn new information]Learn more...
at_hash claim
With this support and when the DataPower Gateway is the OIDC provider support the at_hash specification.
Inspect TLS connection information
You can check the TLS connection information between clients and the DataPower Gateway by using the read-only var://service/tls-info variable. The information contains the following data.
  • The TLS or SSL version
  • The cipher
  • The peer certificate, if any
  • The SNI extension header from the client, if any

With this variable, you can add extra checking. For example, to ensure that the host name in the SNI extension from the client matches the host name in the Host header. [Learn new information]Learn more...

New algorithms for JWE encryption
Support added for the following encryption algorithms.
  • A128GCM
  • A192GCM
  • A256GCM
The new algorithms apply to the following functions:
Display a banner message to users before the SSH login prompt
You can choose to include a banner message during SSH preauthentication phase, which includes an SFTP command login. The message is displayed to users before the login prompt. [Learn new information]Learn more...
Generate a CSR or self-signed certificate from an OpenSSL CNF configuration file
When you generate a CSR or self-signed certificate with the keygen command, you can specify a configuration file to read the DN and OIDs from. The configuration file must be in the OpenSSL CNF format. This file consists of sections that are delimited by a section name that is enclosed in square brackets. Each section can contain one or more properties. Some of these properties are allowed to exist outside of any section definition. As such, they are considered global. The command does not read global properties. [Learn new information]Learn more...

Enhanced ODR

Accept routing rules from a Liberty Collective or WebSphere® cell
When you configure a single On Demand Router in the default domain of the DataPower Gateway, you can define how to accept routing rules from a Liberty Collective or WebSphere cell. The updated configuration on the DataPower Gateway is as follows.
  1. Enter the name of the ODR routing rules server that is used to determine whether routing rules are delivered to the DataPower Gateway. If the DataPower Gateway is not using routing rules, you can use any server name.
  2. Define the RoutingRulesConnectorClusterName custom property to set the name of the ODR connector group from which routing rules are accepted. The web server name is configured in on one of the following ways.
    • In a Liberty Collective, defined as an attribute of the routingRules element.
    • In a WebSphere cell as the value of the serverName parameter of WebServerRoutingRule command.
[Learn new information]Learn more...
Set the time to wait before attempting to reestablish a connection to the Intelligent Management service
When you configure an ODR connector group, you can set the time to wait before attempting to reestablish a connection to the Intelligent Management service. In earlier releases, you could not control this behavior, which was always 60 seconds. [Learn new information]Learn more...

Enhanced GatewayScript processing

Protect the built-in object by freezing prototypes
The GatewayScript built-in object prototypes are frozen by default to prevent unwanted modification of existing property attributes and values, addition of new properties, or removal of existing properties of the GatewayScript built-in objects. When you need to manipulate the built-in object prototypes, you can unfreeze the object prototype through the GatewayScript settings. [Learn new information]Learn more...
When the built-in object prototypes are frozen and the property to modify is inherited from a GatewayScript built-in object, you must use the Object.defineProperty() API to modify the property. [Learn new information]Learn more...
Prevent the synchronous processing of a file from continuously using CPU for an unexpected long time
The synchronous processing of the GatewayScript file that is called by the GatewayScript action might continuously use CPU for an unexpected long time without yielding back to the system event loop. This occupies the CPU resource for a long time. To avoid this issue, you can specify the maximum synchronous processing duration. When the duration elapses and the GatewayScript action is still processing, the action is terminated and causes the transaction to throw an error. [Learn new information]Learn more...
Manipulate message attachments or root part headers with the context object
You can use GatewayScript APIs that are associated with the GatewayScript context object to manipulate message attachments or root part headers. [Learn new information]Learn more...

Control the parsing of input with auto detection of document type and dynamic threat protection settings

You can control the parsing of XML, JSON, and binary data by using a parse action. [Learn new information]Learn more...
  • You can manually specify the input document type, or let the action detect the type.
  • You can set extensive constraints on the input document to achieve threat protection. [Learn new information]Learn more...
  • You can configure the constraints through different means. The constraints are enforced dynamically according to predefined rules.
    • With a URL from which to retrieve the parser limit properties
    • With a literal string that contains the parser limit properties
    • With a parse settings configuration

Gain insights into your DataPower usage through IBM Cloud Product Insights

The DataPower Gateway integrates with the IBM Bluemix® Product Insights service to help you gain insights into your on-premise DataPower Gateway usage. When a DataPower Gateway is configured to connect to Product Insights, it collects the registration and usage metrics from the DataPower Gateway and stores them securely in IBM Cloud. You can view these metrics in the Product Insights dashboard on Bluemix. [Learn new information]Learn more...

Run DataPower Gateway for Docker as a non-root user

The DataPower Gateway process now runs as a non-root user by default. Running as non-root user allows you to automate deployment of DataPower Gateway on Docker more easily with appropriate permissions that do not require root privilege.

When running the DataPower Gateway as a non-root user, you must ensure that files and directories have appropriate permissions. DataPower provides the set-user command that you can use to resolve certain kinds of common issues about file and directory permissions.

You can still choose to run as the root user. To run the DataPower Gateway process with the root privilege, add the USER root declaration into the Dockerfile. [Learn new information]Learn more...

Export, import, and manage records in a document cache

Added the following actions to manage records in the document cache for an XML manager. Previously you could only flush documents.
Added the following extension functions for use in stylesheets. These functions equate to the previously listed actions.
  • Flush documents with the dp:flush-documents() function. [Learn new information]Learn more...
  • Flush expired documents with the dp:flush-expired-documents() function. [Learn new information]Learn more...
  • Invalidate documents with the dp:invalidate-cached-documents() function. [Learn new information]Learn more...
  • Export documents with the dp:document-cache-export() function. [Learn new information]Learn more...
  • Import documents with the dp:document-cache-import() function. [Learn new information]Learn more...

Use primitive functions to encrypt and decrypt blocks of binary data and to calculate the low-level MAC

Added the following functions for use as cryptographic primitives within the context of a larger standard like Retail MAC. The higher-level standards typically define their own padding scheme, which is the reason the functions do not do padding. Therefore, these functions are limited to only handling block-multiple data and are not suitable for general-purpose use.
  • Encrypt blocks of binary data with the dp:encrypt-binary-block() function. [Learn new information]Learn more...
  • Decrypt blocks of binary data with the dp:decrypt-binary-block() function. [Learn new information]Learn more...
  • Calculate the low-level MAC with the dp:mac-binary-block() function. [Learn new information]Learn more...

Enhance logging to simplify the diagnostics for MQ connection errors

When your DataPower Gateway integrates with IBM MQ and receives the MQ connection error 2009 (MQRC_CONNECTION_BROKEN)or 2059 (MQRC_Q_MGR_NOT_AVAILABLE), you can use the new reason codes that DataPower Gateway reports to help you pinpoint the problem. [Learn new information]Learn more...

Choose the graphical interface to log in to on the login page

You can now choose to log in to the Blueprint Console or WebGUI from the DataPower GUI login page. Your preference is saved for the browser after you log in. [Learn new information]Learn more...

Set the description for DNS static hosts

You can now set the description for each DNS static host. A description can help you understand what the static host represents in your environment. [Learn new information]Learn more...

Print the value of a system variable to the CLI

You can use the get-system-var command to print out the value of a system variable to the CLI. [Learn new information]Learn more...