Added, Removed, Deprecated, or Changed Items

Added Items

• Bulkhead pattern support in API Gateway

Support to specify the maximum number of concurrent requests processed by:

• an API at API level

• all APIs (Global level - The specified number applies to each API under the Global policy)

  When the specified number of concurrent requests exceeds the specified limit, the excess requests are rejected. In such scenarios, the corresponding transaction events and the policy violation events are generated.

• Proof key for code exchange enhancements

Support for PKCE to secure OAuth 2.0 public clients at application level that uses the authorization code grant.

• Traffic optimization improvements

The Traffic optimization policy can now be applied to:

• All consumers (specified rate-limit within a given time limit shared by all consumers)

• All registered consumers (specified rate-limit within a given time limit shared by all registered consumers)

• All non-registered consumers (specified rate-limit within a given time limit shared by all non-registered consumers)

• Each consumer

• Each registered consumer

• Each non-registered consumer

• Specified list of consumers (can allow consumer-specific throttling or allow the given limit to each consumer)

• Simplified upgrade procedure

API Gateway upgrade procedure is enhanced to support pre-flight checks and sanity health checks during migration. This feature will be available to the customers in the upcoming version after 10.15.

• Support for production-class container images on https://containers.webmethods.io

API Gateway docker images are available on https://containers.webmethods.io.

In addition to the trial bundle, a production-class docker image, webMethods API Gateway Minimal, is introduced.

The API Gateway 10.15 minimal docker image provides the API Gateway server and UI only. Containers of this image must be configured with a compatible instance of Elasticsearch and Kibana (as documented in the product compatibility matrix).

• Promotion and import of archives from API Gateway versions 11.0 and 11.1

  API Gateway 10.15 now supports importing archives from API Gateway versions 11.0 and 11.1. Additionally, you can now promote from API Gateway 11.0 or 11.1 to version 10.15.

Changed Items

• Enhancements to asset approval process

Asset approval process is enhanced. As administrators, you can specify approvers in a team when creating or editing team details. The selected team approvers can view the pending requests of the assets that are associated with their respective teams and approve them.

• Enhancements to product architecture

API Gateway supports a seamless data separation between Elasticsearch, which stores the product configurations, and Elasticsearch, which stores API analytics(default destination).

• Enhancements to observability and monitoring metrics

API level Prometheus metrics are introduced for measuring the availability of the deployed APIs. The following API level metrics measures the service and business availability:

• Error rates

  • API transaction error rate per API and the aggregated value

  • API execution error rate per API and the aggregated value

  • Backend API errors per API and the aggregated value

  • Errors arising from the inter component interactions (such as API Gateway to Elasticsearch)

• Performance(latency)

  • API performance per API

  • API Gateway performance and Backend API performance

  • Aggregated latency introduced by API Gateway

• LDAP V3 support and certification

API Gateway now supports LDAP version 3 for the user management LDAP integration.

• TLS 1.3 support and certification

API Gateway now supports TLS version 1.3 for securing the inbound and outbound connections that use JSSE.

• Elastic stack upgrade

Elasticsearch, Filebeat, and Kibana are upgraded to version 8.2.3.

• X-Pack in place of Search Guard plugin

Elasticsearch is updated to version 8.2.3, which is incompatible with Search Guard plugin. Instead, X-Pack and ReadonlyREST plugins are recommended to secure API Gateway Data Store communications.

• You must not use Java 17 from C:/SoftwareAG/InternalDataStore/jdk to run other processes as it is shipped to run Elastic Search version 8.2.3

Deprecated Items

• The Custom dashboard is deprecated and will be removed in future releases from API Gateway Analytics dashboard.

  Alternatively, you can configure an external elastic search destination and build your own dashboards using Kibana.

• The support for Deployer and Command Central is deprecated and will be removed in future releases.

  API Gateway support, for example, provisioning, configurations using Deployer and the Command Central (CCE) is deprecated.

• The support for creating Docker images from an API Gateway installation is deprecated and will be removed in future releases.

  API Gateway images can be downloaded from https://containers.webmethods.io.

• The support for webMethods API Portal is deprecated and will be removed in future releases.

  webMethods Developer Portal can be used, in place of webMethods API Portal, to securely expose APIs to external developers, partners, and other consumers publishing APIs.

• The support for Digital Events destination is deprecated and will be removed in future releases.

• API Data Store (embedded Elasticsearch) is deprecated and will be removed in future releases. To address security vulnerabilities and simplify upgrades, configuring an external Elasticsearch is now the only supported approach.

Added Items

• Change Administrator’s default password

During installation, the default Administrator user’s password can be defined. Change password on first login can be enforced.

• GraphQL support

GraphQL API type can be managed in API Gateway.

• Trace and Replay support for API Calls With Trace API support, the complete life cycle can be monitored for any runtime requests within API Gateway.

  API calls can be traced and inspected at granular level.

  For GA, the number of supported policy actions are limited. More policy actions will be supported in the upcoming fixes.

• Publish performance metrics to CentraSite

Performance metrics can be published to CentraSite destination using new REST APIs that are exposed by CentraSite.

• Proof Key for Code Exchange Support

Support for PKCE to secure OAuth 2.0 public clients that use the Authorization Code Grant.

Changed Items

• Enhancements to SOAP to REST transformation

SOAP to REST transformation feature is enhanced with the following:

• Schema validation enhancements

• SOAP Operation handling in JSON responses

• Single node Array handling

• Simplified API Gateway clustering

API Gateway can be clustered without using Terracotta server array and without any additional runtime.

Distributed caching is limited for data aggregation cases like throttling and metrics.

• Enhancements to API Gateway backup and restore

Backup and restore activities are enhanced with the following:

• The log level and log file location can be defined for backup and restore operations

• Activity status monitoring

• Rollover support

• Backup of selective index.

• Enhancements to API Monetization

API Monetization feature is enhanced with the following:

• REST API for monetization included

• Supports meta data changes

• Hot edit of packages and plans

• Notifications for quota breach scenarios.

• Enhancements to SSO implementation

SSO implementation is enhanced with the following:

• SSO configuration and generation of Service Provider metadata is simplified

• Supports user attributes mapping

• Avoids multiple restarts while enabling SSO configuration

• Enhancements to Archive and Purge

Archive and Purge is enhanced with the following:

• Purge operations can be performed based on conditions

• API Gateway UI displays detailed job status for archive and purge

• Resource handling and performance enhancements

• Improved the user experience for archive and purge operation

Added Items

• AppMesh API and Microservice updates

API or Microservice updates can be provisioned without impact on the service availability.

AppMesh page lists microservices exposed over cluster ports, load balancer ports, and Ingress ports.

• Tags for global policies and teams

Global policies can be applied to a set of APIs or to specific REST resources and SOAP operations based on the tags specified for the APIs or its resources and operations.

Global team assignment for APIs can be done based on the tags of the APIs.

• Bind access of APIs with ports

Bind access of REST and OData APIs with specific ports can be defined with allowed or denied list of APIs or paths. When default is to allow all, a denied list can be defined; and when default is to deny all, an allowed list can be defined.

• Upgrade with no downtime

Upgrade to major or minor version without any downtime for the runtime transactions.

Quiesce mode is introduced to disable access to an API Gateway server temporarily so that the upgrade tasks can be performed.

• Custom Dashboards

Analytics dashboards can be built by composing different widgets and construct a custom dashboard along with predefined dashboards.

• Monetization updates

Monetization feature is enhanced with the following:

• To display all the subscriptions made and their status, in addition to packages and plans.

• To monitor the usage consumption, such as current usage, remaining time and quota left and so on.

• To include new metrics like calendar week and calendar month to monitor the usage.

• Custom Destinations

New event destinations can be defined as custom destinations apart from the predefined destinations and the custom destination can be selected as part of Traffic Monitoring policy actions to transmit selected event types.

• Conditional error processing updates

Variable based fault processing and transformation where multiple fault cases can be grouped based on conditions. Response headers and status can be transformed as per the defined policy conditions.

• Variable framework updates

Variables are made available across policy stages where system and custom variables and values from request and response can all be accessed using variable syntax in applicable policies.

Changed Items

• Policy labels and action to add policy

Policy labels with a long name are shortened as follows.

An Add icon is introduced for each policy, which you can use to add the corresponding policy to an API.

Identify & Authorize Application ==> Identify & Authorize

Inbound Authentication – Message ==> Inbound Auth – Message

Outbound Authentication – Transport ==> Outbound Auth – Transport

Outbound Authentication – Message ==> Outbound Auth – Message

JMS/AMQP Routing for SOAP ==> JMS/AMQP SOAP Routing

JMS/AMQP Routing for REST ==> JMS/AMQP REST Routing

JMS/AMQP Properties for SOAP ==> JMS/AMQP SOAP Properties

JMS/AMQP Properties for REST ==> JMS/AMQP REST Properties

Monitor Service Performance ==> Monitor Performance

Monitor Service Level Agreement ==> Monitor Level Agreement

Throttling Traffic Optimization ==> Traffic Optimization

Deprecated Items

The following scripts are deprecated and will be removed in future releases:

Windows version:

• apigw-backup-packages.bat

• apigw-backup-tenant.bat

• apigw-upgrade-backup.bat

• apigw-restore-tenant.bat

These scritps are replaced by apigatewayUtil.bat.

Linux version:

• apigw-backup-packages.sh

• apigw-backup-tenant.sh

• apigw-upgrade-backup.sh

• apigw-restore-tenant.sh

These scritps are replaced by apigatewayUtil.sh.

Removed Items

• Search Guard

The Search Guard plugin, which is used to secure API Gateway Data Store communications, is not available in the installation by default.

It can be installed and used separately.

Added Items

• Custom Runtime Policies

API Providers can now invoke any external services, which can act as a runtime policy as part of the policy enforcement and thus can support custom runtime policies. Custom policies can be included in the stages such as, Identify and Access or Payload processing stages, or Routing stage. AWS Lambda functions also can be considered for custom policies.

• Team work Support

Team work support is to provide access control based on team-specific privileges in the deployments where multiple teams work on a single API Gateway instance. Assets of type API, Application, Package, Plan would be team-specific in such deployments and deployments where teams is not applicable, this can be switched off.

• API First

API-first is an approach where the design and development of an API comes before the implementation. API Gateway can now cater provider-complaint specification that can be used to register API first in API Gateway as part of API-first approach.

• Externalization of configurations

Inter-component configurations and cluster configurations are available at different locations causing maintainability and operational overhead. A new centralized configuration management is introduced in this version where configuration of API Gateway, Kibana, and filebeat connections to Elasticsearch and API Gateway, Elasticsearch and Terracotta cluster configurations for clustering is supported.

• Command Central integration

API Gateway integration with Command Central is enhanced for managing API Gateway instances through Command Central for Logs, Ports, Licensing, and Clustering configuration. The same is supported now through Command Central templates as well.

• Change ownership of Assets

Ownership of API and Application type assets can be transferred to a different user and can be implemented with Approval flow if desired. This would help to overcome the unavailability of specific data in the case where the current owner is not available in the system.

• Governed API development

APIs provided by CentraSite are considered read-only if a CentraSite destination is configured. If there is no CentraSite destination there is no connection to CentraSite and therefore no read-only restriction needs to be enforced. Scopes and policies can still be updated in API Gateway.

Changed Items

• Internal Data Store

Internal Data Store is now renamed to API Gateway Data Store.

API Gateway 10.5 is updated to use Elasticsearch 7.2.0 only as its data store.

• Access Profiles

Access profiles are now changed to Teams

Added Items

• Import and Export Enhancements

Import and export support that was limited to some assets is now enhanced to include all assets and configurations so that users can easily move the configurations across instances.

• Staging and Promotion Enhancements

Staging and promotion support that was limited to some assets is now enhanced to include all assets and configurations so that users can easily move the configurations across instances. Aliases can be configured with stage details.

• Support Certificates in Custom Headers

Application identification is enhanced to get certificates sent through Custom HTTP header in order to identify the application. Custom header can be configured as part of extended settings of Administration.

• Support API Composition in API Mashups API providers can configure to invoke multiple APIs as part of mashup step and aggregate the response that is passed to the next step. Similarly responses of different steps can be aggregated and sent as single output to the client.

• Microgateway Management in API Gateway

API Gateway displays list of live Microgateways registered to it and are now able to retrieve details about list of assets, and configurations of each Microgateway.

Changed Items

• Application Identification

In case of Application identification failure, error message is changed from Unable to identify the application for the request to Unauthorized application request.

Added Items

• Open API Support

Users can create an API by importing an open API document file or URL in API Gateway. OpenAPI Specification (formerly Swagger Specification) is an API description format for REST APIs.

• Support for API Mashups

Individual microservices and APIs can be composed into one mashed up API. API Gateway handles a request by invoking multiple microservices and aggregating the results and provide final response.

• Support Async APIs

APIs which take longer than usual invocation time, may end up with Read Time out. API Gateway could enforce policies to use the callback URL defined for the APIs.

• Support AMQP protocol

Support AMQP as an inbound and outbound endpoint for API Gateway APIs of type SOAP and REST. AMQP is open standard for passing messages between applications and provides standard messaging protocol across platforms.

• API hot deploy API updates can be done without deactivating or affecting the ongoing requests. Each request finishes without being affected by updates to the API and policy definition.

• Support runtime service registries

API Gateway APIs can be published to service registries and clients can get the endpoints from service registry. APIs routing endpoint can be configured with service registry to discover endpoint from registry during outbound.

• Log aggregation

API Gateway aggregates different log files used for logging API Gateway usage and provides a comprehensive log file. Logs can be also viewed in the dashboard with filtering capabilities.

• Security enhancements

Security configuration is unified for OAuth, OpenID and JWT configuration, and is simplified. Support for multiple active Authorization servers simultaneously is included. Added capability to register clients dynamically in third-party Authorization servers. Support for third-party clients introspection. PKCE client application support for third-party Authorization servers. Mapping of OAuth scopes with API scopes.

Removed Items

• Inbound Authentication – Transport policy was removed from API Gateway10.3

This functionality was added into the Identify and Authorize Application policy.

Added Items

• API Tagging

APIs or its resources and operations can be tagged. You can use the tags for searching artifacts in API Gateway and publish the tags along with the API to API Portal.

API creation using Swagger can acquire the tags from the swagger file and also API export should include the assigned tags.

• Bulk Publish, Unpublish and Delete

You can publish, unpublish or delete more than one API at a time to API Portal.

• File attachments support for API

APIs can be attached with supporting files as attachments and the attached files are available in API Portal after publishing to the Portal.

• JWKS endpoint for JSON Web Tokens

As an ID provider, API Gateway provides the JWKS endpoint that helps the relying parties to fetch the certificates that can be used for validation of the JSON Web tokens.

• HTTP Client for Elastic Search

Relaxes the hard limitation of using the Elastic search shipped along with API Gateway product; you can use other elastic search instance configured with API Gateway

• Application suspension

You can now suspend applications to deactivate the runtime access to the applications in API Gateway and the same application can be activated again.

• CORS Support in API gateway

API Gateway can process cross origin requests sent by clients as inbound policy and also as transparent mode of native service processing cross origin requests.

• Specification for Invoke IS Service

You can now define IS Service to get and set headers, status code, body, and other MessageContext variables using the specification in the service and do not have to write code to extract the variables.

• Enhance Transaction events

Transaction events are enhanced to log headers and query parameters of request and response along with the payload.

• Caching enhancements

You can manage different caches of API Gateway to auto scale or allocate static percentage of data to be held in cache.

• Data masking

API Gateway’s data masking policy can be configured to mask or filter specific data in request and response messages and also mask the data in transaction events.

• JSON Schema and JSON Path Support

JSON payload can be evaluated for schema validation and JSON path can be used in policies like content-based routing, error processing, and identify application.

• User profile management

You can now configure your preferences like name, email passwords, and display language.

• Audit logging support

Audit logging would capture user activities in API Gateway for API, application, approvals, and user management. Audit logs would capture who has done the action and when. These logs help in securing the system.

• API Monetization

Plans and packages can be managed by quotas, usage, and rate limits with soft and hard limits. Consumers can subscribe to plans and monitor usage and re-subscribe as required.

Added Items

• Migration from Mediator to API Gateway

APIs and associated data can be published from CentraSite to API Gateway 10.1 version.

This allows users to publish Virtual Services of SOAP and REST with applied policies, consumer applications, runtime alias to API Gateway, which play the role of policy enforcement point and replace Mediator.

• Migration from Enterprise Gateway to API Gateway

Enterprise Gateway configurations and Rules can be migrated to API Gateway, which replace and play the role of Enterprise Gateway.

• Staging and Promotion support

You can now promote assets from one stage to another. API Gateway uses webMethods Deployer for promoting assets across stages. Promoting an asset involves calculating its dependencies and promoting them unless explicitly specified by the user. Stage-specific configurations and alias values can be modified to respective values.

API Gateway assets can be managed with version control system and perform scheduled or automatic promotion to stages as configured.

• Support for SOAP over JMS

Support JMS protocol of Inbound and Outbound for SOAP. Allow JMS-HHTP bridging between Inbound and Outbound.

• Backup and Restore

Backup API Gateway assets and configuration using command line and you can restore the backed up data.

• Transaction based licensing License model based on transactions and appropriate alerts can be implemented

• Approval model for applications Approval model can be implemented for creating or updating applications, associating applications with APIs, and subscribing to packages.

• API Mocking Mocking mode allows users to make mock calls to APIs. User can specify API response for each resource or operation and can set status codes for responses. API responses can be configured on conditional basis too.

• Support 3rd party OAuth providers Users can use 3rd party Authorization Servers for authenticating API invocations using OAuth2

  Third party OAuth2 providers like OKTA and Ping Federate can be used for OAuth2 authentication.

• Support JSON Web Tokens API Gateway can authenticate clients using JSON Web Tokens supplied during invocations.

• Open ID Support API Gateway can authenticate clients using Open ID Tokens supplied during invocations.

• HTTP Header Validation Providers can mandate consumers to send HTTP headers and values defined in policy for API Invocations.

Added Items

• API Versioning New version for an API can be created. Different versions of an API can be viewed and invoked

• SOAP to REST transformation API Provider can enable some of the operations of SOAP service as REST endpoints. These operations can be invoked with different paths and the operation path can contain Path parameters that can be saved as templates and can be hierarchical. The operation can be invoked in a method other than POST

• API export and import APIs in API Gateway can be exported and imported into a different API Gateway. This implies that the export archive for an API includes all the information to establish an API in the importing API Gateway.

• Support Service Result Cache Service result of the first invocation is cached when the criteria defined in the policy is met. Subsequent requests are from cache and do not require to go to native service for every similar invocation.

• Schema Validation Support Validates the incoming requests and responses against a schema referenced in the WSDL for SOAP APIs. For REST API, user should be able to validate incoming requests and responses against the specified schema.

• API usage reports and dashboards Package-level and API-specific usage and utilization reports. API Gateway provides number widgets for package invocations and API invocations.

• Archive purge and restore events data Administrators can archive and purge events data to a configured file location. The archived data is restored from the created archives.

• Resources or Operation level policies Policies can be applied to one or more resources or operations and must be applied on an API always. Scope can be created with a collection of resources, methods or operations of an API and policies can be applied to the scope to apply to the specific operation or resources.

• Global policies and policy templates Global Policy is a common policy that can be associated to multiple APIs based upon the criteria defined for the policy. Policy Template is a base template defined, which can be imported in multiple APIs.

• SAML Authentication APIs can be applied with SAML authentication policies at Inbound and Outbound. Bearer and Holder of Key SAML subject confirmation are supported for SAML 1.0 and 2.0 versions.

• Kerberos Authentication Kerberos authentication is supported at message and transport level for SOAP APIs and at transport level for REST APIs. APIs can be applied with Kerberos authentication policies at Inbound and Outbound.

• XML Threat Protection Support API Gateway application should be resilient to attacks through XML payload. XML payloads sent through external port go through the XML threat protection filter when the rule is defined and enabled.

• JSON Threat Protection Support API Gateway application should be resilient to attacks through JSON payload. JSON payloads sent through external port go through the JSON threat protection filter when the rule is defined and enabled.

Added Items

• API CRUD Both REST and SOAP APIs can be imported. Swagger and RAML are supported formats for REST and WSDL for SOAP. REST APIs can be created from scratch as well.

• Policies and Aliases CRUD Both threat protection and API-specific policies based in selected edition. For more information, see documentation for supported policies. Create and manage aliases that improve the reuse and maintenance.

• Consumer Applications CRUD Manage consumer applications and associations with APIs.

• Packages and Plans Organizations can group APIs and define enforcements on the same as a single unit, which can be subscribed by developers.

• API Portal Integration APIs can be published to API Portal from API Gateway for the developers reach.

• Analytics API Gateway provides dashboards for greater insights on various topics like Summary, Trends, Consumer applications, and Threat protection.