Version 2018.4.1 known limitations
This page describes known limitations for IBM® API Connect Version 2018.4.1.
- You cannot upgrade to API Connect 10.0.6.0 or later from from any version of 2018.
- A direct upgrade from any version of 2018 to API Connect 10.0.6.0 or later is not supported. You must upgrade to 10.0.5.x as an interim step before upgrading to 10.0.6.0.
- VMware only: You must upgrade to 2018.4.1.20 before upgrading to 2018.4.1.24
- On VMware, the only upgrade that is supported for version 2018.4.1.24 is from 2018.4.1.20; you cannot upgrade directly from older releases.
- Override plan rate limits are not displayed in the Endpoint tab
- Any override plan rate limits that have been added to your API for individual operations are not displayed in the API Endpoint tab in the UI. Only the plan rate limit is displayed.
- Updates to members in the UI might not automatically refresh
- Updates to members in the Cloud Manager and API Manager UIs might not automatically refresh. However, you can click the Refresh icon to manually refresh your browser.
- APIC repair job fails when streaming-connection-idle-timeout is set to 0
- The recommended timeout value is 1 hour. The value is set in the kubelet config file. For information on configuring this setting, see the Kubernetes kubelet documentation at https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/.
- Viewing multiple dashboards in a non-incognito browser is not supported
- Either an incognito (private) browser tab, a separate browser instance, or a full page refresh is required for viewing dashboards in multiple Analytics services simultaneously.
- Default vanity API endpoints are not displayed for a Catalog with Spaces enabled
- If you enable Spaces in a Catalog then, on the page for the Catalog, the default vanity API endpoints are not displayed.
- Limitations in the analytics record of
request_body
- Logging the API
request_body
in Analytics is subject to the following limitations:- A non-xml request body is not supported in the analytics record
- A non-json request body is not supported in the analytics record
- A multipart request body is not supported in the analytics record
- An API returns a
Content-Type
header ofunknown
- If an API contains a GatewayScript
policy that executes an
apim.setvariable
function call that manipulatesmessage.body
, theContent-Type
header is set tounknown
. This might cause issues with invoke policy target servers, or the API client. To resolve this problem, you must immediately follow theapim.setvariable
function call with anapim.output
function call that specifies the content type of the payload that was written tomessage.body
byapim.setvariable
. - User interfaces behave incorrectly after upgrading to a new fix pack
- After upgrading to new fix pack release, the user interfaces might exhibit incorrect behavior such as missing icons, errors when attempting an action, and looping situations. To resolve this problem, first clear your browser cache before using a user interface, then if the problem persists disable your browser cache.
- An OpenAPI definition that contains regular expression syntax fails validation
- IBM API
Connect supports the GO regular expression
syntax. When you import an OpenAPI definition into the API Designer or API Manager user interfaces, or
validate one with the
apic validate
, the validation will fail if the OpenAPI source contains unsupported regular expression syntax, with errors that includeDoes not match format 'regex'
; for example:- Must validate at least one schema (anyOf) (context: (root).paths./example/types.post.parameters.0.schema.properties.items, line: 0, col: 0) - Must validate one and only one schema (oneOf) (context: (root).paths./example/types.post.parameters.0, line: 46164, col: 21) - paths./example/types.post.parameters.0.schema.properties.items.properties.pattern Does not match format 'regex' (context: (root).paths./example/types.post.parameters.0.schema.properties.items.properties.pattern, line: 0, col: 0)
- When scaling down a Kubernetes cluster of DataPower gateways, the cluster might enter an unrecoverable state if the peering primary instance is lost
- If you are scaling down a Kubernetes cluster of DataPower
gateways, you must first complete the following steps to ensure that the peering primary instance is
not lost:
- Truststore and keystore settings in a shared TLS client profile are not reflected in API Manager
- If you create a shared TLS client profile in the Cloud Manager user interface and assign a truststore and a keystore, these truststore and keystore settings are not reflected in that TLS client profile in the API Manager user interface and cannot be set there. Furthermore, the TLS client profile list views display the value shared for the truststore and keystore rather than the correct values. To workaround this problem, create the truststore, keystore, and TLS client profile separately for each provider organization in the API Manager user interface, then enable the TLS client profile in your Catalogs as required.
- An invited Space owner cannot work with consumer organization groups
- If you enable Spaces in a Catalog and invite a user with Space Owner permission, the invited user cannot create, edit, or manager consumer organization groups, and cannot add consumer organizations to an existing consumer organization group.
- Install Assist utility not supported on Windows when upgrading to v2018.4.1.10
- A known limitation prevents successful use of the Windows platform version of the Install Assist utility, when upgrading to v2018.4.10. The workaround is to use a Linux or macOS version of the binary to complete the upgrade.
- The
apic cloud-settings:topology
command doesn't return a topology object - If you use the
apic cloud-settings:topology
command without a--format
parameter, it returns only the stringCloudTopology
rather than the cloud topology. To retrieve the topology object, include the--format
parameter, with a value of eitheryaml
orjson
as required. - The
apic cloud-settings:mail-server-configured
command response is incorrect - If you use the
apic cloud-settings:mail-server-configured
without a--format
parameter, it returns only the stringMailServerConfigured
rather than a boolean value to indicate whether an email server has been configured in the cloud settings. To retrieve the correct response, include the--format
parameter, with a value of eitheryaml
orjson
as required. - API Designer user interface might not open correctly if there are badly formed OpenAPI YAML files in the startup directory
- If, when launching the API Designer user interface, the
startup directory that you select contains one or more badly formed OpenAPI YAML files, the
interface might fail to load correctly, with an error such as the
following:
Cannot read property 'type' of null
To resolve this problem, remove any invalid OpenAPI YAML files from the startup directory, then restart the API Designer user interface.
- Pagination setting is global across the API Connect user interfaces
- If you set the Items per page value on any page in either the Cloud Manager or API Manager user interface, that setting is then applied to all pages in both user interfaces in the same browser session. If you want to set the value separately for a specific page, open it in a private browser window. Such a setting in a private browser window is specific to that window and is lost when the window is closed.
- In Catalina, testing the WSDL-SOAP flow in designer assembly editor has no dependencies
-
In Catalina, for designer, if you want to use test functions inside the assembly editor for the WSDL-SOAP flow, the Invoke button is disabled. Also, you cannot generate the parameter body.
To resolve this situation, you can directly publish the WSDL-SOAP APIs to the API Manager UI. Then, use the test function inside the API Manager UI - Assembly Editor. However, when you generate the body you must remove the comments
<-- ... -->
, as in some cases the comments are not processed correctly. - The User Security policy in API Designer does not make user registries available for selection
-
If, in the API Designer user interface, you add a User Security policy to an API assembly, the User registry list in the policy configuration window does not contain any user registries to select from. To work around this problem, add the user registry to the policy directly on the Source tab; define the following property in the
- user-security:
policy configuration:
where user_registry_name is the value of theuser-registry: user_registry_name
name
property of the required user registry. - Ingress timeout settings might need adjustment to enable improved synchronization in Version 4.1.8
-
API Connect Version 4.1.8 contains a set of core updates designed to improve synchronization, and to strengthen stability and data integrity. Due to the changes, we recommend increasing the ingress time-out settings if you see 504 or 409 errors when trying to create or delete a provider organization or catalog. The increased stability also means that APIs and Products take longer to process, compared to versions prior to 2018.4.1.8.
To change ingress timeout settings, see the section
Kubernetes/ingress-nginx ingress controller config.map settings
in the topic Kubernetes ingress controller prerequisites. - Upgrade of management server to Version 2018.4.1.8 can take longer than during previous upgrades
- The upgrade of the management server from prior versions to Version 2018.4.1.8 may take longer than during previous fix pack upgrades. The extended time is due to underlying schema changes, and can be as long as several hours for long established deployments with a large amount of data.
- Manual backup required when upgrading to Version 2018.4.1.8 iFix 2 or later
- When upgrading to Version 2018.4.1.8 iFix 2 or later, you must complete a manual backup just prior to starting the upgrade. The manual backup is required because the upgrade can take an extended period of time. See Requirements for upgrading on VMware and Requirements for upgrading on Kubernetes.
- Manual backup required when increasing memory allocation for the management database on Version 2018.4.1.8 iFix 2 or later
- When changing memory allocation for the management database on Version 2018.4.1.8 iFix 2 or later, you must complete a manual backup just prior to changing the allocation. See Increasing the memory allocation for the management database on VMware and Increasing the memory allocation for the management database on Kubernetes.
- If you are using API Connect v2018.4.1.8 or later, there can be a temporary delay in data sync between Management server and other services
- Because of changes to improve stability, certain conditions can cause a temporary delay in the syncing of data between the Management server and other services such as the Gateway or Developer Portal. For example, there can be a temporary delay before a newly published Product runs on the Gateway, or is displayed on the Developer Portal. No action is needed to resolve the delay. Wait a few minutes and the Gateway and Developer Portal should be back in sync.
- Deletion of organizations, catalogs, and applications can fail
-
The deletion of organizations, catalogs, or applications can fail, if they or resources inside them (like draft APIs inside provider organizations) were created with Version 2018.4.1.6 or earlier. This problem does not exist if organizations, catalogs or applications, and resources inside them were created with Version 2018.4.1.7 or later. For Version 2018.4.1.6 or earlier, internal locks can remain in place and prevent successful deletion. If you encounter this problem, please contact IBM Support and open a support ticket. IBM Support can help you to clear the locks so that the deletions complete successfully.
- Management of refresh tokens not available in the UI
- You must use the command line interface (CLI) to enable and manage refresh tokens. The use of refresh tokens is supported in API Manager, API Designer, the Developer Portal, and the CLI Toolkit, provided that the user logs in with a non-OIDC Provider user registry. If the registry type used for user login is OIDC, then the refresh setting is ignored. When the token expires, the user is always redirected to the login page. For more information, see Specifying cloud settings for refresh tokens.
- The Applications page doesn't indicate how many applications there are in the list
- On the Applications page in a Catalog, there is no indication of how many applications there are in total. Therefore, if the total number of applications exceeds the Items per page setting, the list is incomplete with no indication that there are further applications that aren't displayed. To ensure that you view all applications, set the Items per page setting to the maximum value, then use the next page arrow to scroll through the complete list.
- The API republish icon isn't enabled after an API update
- If you make a change to an API definition in the Assemble view and save your changes, the API republish icon might not be enabled automatically, preventing you from republishing your updates. In such situations, enable the republish icon by refreshing the page, or by navigating to another view and then returning to the Assemble view.
- Upgrade of DataPower API Gateway to Version 2018.4.1.7 or later requires installation of the DataPower monitor pod
- API Connect Version 2018.4.1.7 introduces a new monitor pod for DataPower API Gateway. The monitor pod is required for all deployments of Version 2018.4.1.7 on Kubernetes. Installation of the monitor pod is required when upgrading DataPower Gateway from prior versions to version 2018.4.1.7 or later. For upgrade instructions, see Upgrading API Connect in a Kubernetes environment.
- Enablement of DataPower Gateway high performance peering on a currently deployed system requires interruption to API transaction processing.
- API Connect Version 2018.4.1.7 introduces high performance peering to DataPower API Gateway. If you do not enable high performance peering during initial installation, you can reconfigure to enable it later. Note that the reconfiguration process requires an interruption to API transaction processing, so you should plan accordingly. For Kubernetes, see Enabling high performance peering for DataPower API Gateway on Kubernetes. For VMware environments, see Enabling multiple peering objects on gateway services external to Kubernetes.
- Setting resource limits in Kubernetes can cause containers to behave oddly at run time
- In Kubernetes, you can set resource limits for each container. However, limiting CPU means that the container processes might slow down if they try to use too much. Limiting memory means that the Kubernetes code kills processes that try to allocate memory that would take the container over its limit. These limits can result in odd behavior such as the containers continually trying to start a daemon process, such as nginx or node, and exiting with success immediately.
- Field validation for the Client security policy is incorrect
- When configuring a Client Security policy in an API
assembly in the API Designer
or API Manager user
interfaces, there is the following incorrect validation behavior:
- The ID Name field is required, but the API definition can be saved without entering a value in the field.
- The Secret Name field is required only when the Secret Required option is selected, but the user interface indicates that the Secret Name field is required regardless. Furthermore, when the field is required, the API definition can be save without entering a value.
- If the Authenticate Client Method is set to Third party, the User Registry Name field is required, but the API definition can be saved without entering a value in this field.
- The title of a WSDL API can't be changed
- If, when editing a WSDL API definition, you attempt
to change the Title field, an error is returned. You can, however, change the
title by modifying the
title
property in the OpenAPI source on the Source tab. - A WSDL API cannot be saved as a new version
- If, when editing a WSDL API definition, you attempt to change the Version field, or use the Create new version option, an error is returned.
- User interface URL returns 404 error on OpenShift
- If IBM API
Connect is deployed to an
OpenShift environment, attempts to open the API Manager user interface at the
URL
https://api_manager_ui_endpoint
returns a 404 error because the redirect to the full URL fails. To avoid this problem, use the full URLs for the user interfaces, as follows:- API Manager user
interface:
https://api_manager_ui_endpoint/manager
- Cloud Manager user interface:
https://cloud_admin_ui_endpoint/admin
- API Manager user
interface:
- User interface does not provide the option to assign roles when inviting Space members
- When you invite a user to join as a member of a
Space by using the API Manager
user interface, it is not possible to assign roles to the user. This means that when the user
receives the invitation, activates their account, and logs in, they have no permissions. To resolve
this problem, assign the required roles to the user after they have activated their account, by
selecting the roles alongside the user on the Members page in the
Space.
You can, however, assign roles when adding a member to a Space, and when adding or inviting members to a Catalog.
- Requests that take longer than the value of the nginx timeout cause a 409 error
-
Requests that take longer than the value of the
nginx
timeout can cause a 409 error, such as:
The error occurs because the ingress controller is sending a repeat request when the previous one timed out. Your request will still continue processing in the background.Another request is operating on portal-subsystem-03729230-4df7-4419-94c9-e7691b616382 with the same name, please try again.
- In some scenarios, applications crash due to lack of sufficient memory for Cassandra
- Some applications that consume extensive amounts of memory can crash because the
memory requirements exceed the memory allocation for Cassandra. For example, a large number of
subscription tables, or upgrade requirements. Sample error from Cassandra
logs:
r7430a60641-apiconnect-cc-0.log:io.netty.util.internal.OutOfDirectMemoryError: failed to allocate 16921 byte(s) of direct memory (used: 67100185, max: 67108864)
Workaround: Choose one of the following:- Allocate more memory on Cassandra. See Increasing the memory allocation for the management database.
- Scale up Cassandra by adding a node, which increases the memory in the cluster
- Adding members to a provider organization might fail
- When adding members to a provider organization, the Cloud Manager user interface lists the current owner and members as well. If existing members are selected, the add action will fail.
- Upgrading with new certificates breaks analytics ingestion
- If the analytics subsystem certificates are modified after installation ( by using the apicup certs set command , followed by the apicup install command to deploy the change to the cluster), the analytics ingestion ingress will no longer be recognized by the Gateway. The analytics service must be re-registered in the Cloud Manager interface so that the new certificates are recognized.
- Publishing a large Product might result in an out of memory error
- Publishing a Product that contains large numbers of APIs might result in an out of memory error. To resolve this problem, divide the Product into multiple Products with fewer APIs, or increase or tune the memory settings for API Connect/Cassandra.
- Users are not logged out of the user interfaces after tokens expire
- If an API Manager or Cloud Manager user interface session times out, the user does not get redirected to the login page and might see an error. To redirect to the login page, refresh the browser window.
- User interfaces are not supported in Microsoft Edge
- The API Manager and Cloud Manager user interfaces are not supported in the Microsoft Edge web browser. To work in the user interfaces, use a different browser.
- New gateways cannot connect to existing gateways after the gateway peering certificates are changed
- Changing the gateway peering SSL certificates after gateway installation causes new gateways to be unable to connect to existing gateways, resulting in an outage. A full restart of the gateway StatefulSet (by deleting all the StatefulSet pods) is required for the gateways to come back online.
- Changes to an OAuth provider are not reflected in the consuming APIs
- If you modify the endpoints, scopes, or grants for an OAuth provider, the APIs that consume that OAuth provider will be affected. You might need to update the consuming APIs accordingly.
- Deletion of a non-empty provider organizations, Catalogs, or Spaces might fail
- The deletion of provider organization, Catalog, or Space that contains a large number of resources might fail. Before deleting provider organizations, Catalogs, or Spaces, first delete the contained resources.
- No option to bulk delete APIs or Products
- In the API Designer and API Manager user interfaces, there is currently no option to delete multiple APIs or Products in a single operation; in the user interfaces, APIs and Products must be deleted individually. However, you can bulk delete APIs and Products by using the REST API or CLI interfaces.
- Cannot publish an imported API that was generated with IBM API Connect Version 5.0 LoopBack®
- If
you import an API YAML file that was generated with IBM API Connect Version 5.0
LoopBack, attempts to
publish the API fail. Before publishing, remove the catalogs section, and the invoke policy named
tls-invoke-profile
, from the YAML source of the API definition; for example:catalogs: apic-dev: properties: runtime-url: $(TARGET_URL) sb: properties: runtime-url: 'http://localhost:4001
- Can't publish an API that has duplicate security definition entries
- The API Designer and API Manager user interfaces allow you to add duplicate security definitions to an API. However, attempts to publish the API will fail with OpenAPI validation errors. Ensure that the security definitions in an API are unique.
- API import can fail if there are validation errors
- Validation errors in the OpenAPI
definition of an API can cause the importing of the API to fail. The errors must be corrected in the
OpenAPI source before the API can be imported successfully. You can use the
apic validate
CLI command to validate the OpenAPI definition before importing. - Kubernetes might excessively evict pods
- In Kubernetes, if insufficient memory, CPU, or
storage resources are provided then pods are evicted randomly. To avoid this problem, allocate
sufficient resources to the pods. In addition, there are known issues with log rotation in
Kubernetes that are documented here: https://github.com/kubernetes/kubernetes/issues/59902. The
lack of log rotation can cause logs to grow, limited only by the amount of storage on the node,
eventually causing pods to restart. Therefore ensure that appropriate log levels are configured for
all API Connect
components.
You may also follow the instructions described here https://success.docker.com/article/how-to-setup-log-rotation-post-installation to set the maximum size of the log before it is rolled (max-size) and the maximum number of log files that can be present (max-files). More information about the Docker JSON File logging driver is available here: https://docs.docker.com/config/containers/logging/json-file/.
- A Product that was defined in API Connect Version 5 might fail to publish
- If you import a Product and it's referenced APIs, and the Product and APIs were defined in API Connect Version 5, attempts to publish the Product fail because the API references are lost from the Product. To resolve this situation, add the APIs to the Product, by using either the Product Design page or Source page, before publishing again.
- API Manager pods might restart due to an out of memory condition
- It is possible that during heavy workloads over long periods of time the API Manager pods might reach an out-of-memory condition causing them to restart. The multiple node design of the environment will handle the load while the pod restarts.
- Changing the analytics association for a Gateway service might result in an error 504
- If you change the analytics association for a Gateway service in the Cloud Manager user interface, and the Gateway service is enabled in multiple Catalogs, the user interface operation might timeout with an error 504. However, the operation itself completes successfully.
- The migration of many subscriptions in a single operation might fail
- If you use any of the following CLI commands, or their API Manager user interface
equivalents where available, and the resulting number of application subscriptions that need to be
migrated is large, the operation might fail:
- apic products:replace
- apic products:execute-migration-target
- apic products:migrate-subscriptions
- Use the apic products:migrate-subscriptions to migrate the subscriptions in small batches. If you are replacing a Product, repeat the apic products:replace command after migrating all the subscriptions.
- Set a migration target, by using either the apic products:set-migration-target command or the Set migration target operation on the Product in the API Manager user interface. to allow users to migrate their subscriptions individually.
- The deletion of many subscriptions in a single operation might fail
- If you use any of the following CLI commands, or their API Manager user interface
equivalents where available, and they result in many consumer organizations needing to be deleted in
turn, the operation might fail:
- apic orgs:delete
- apic catalogs:delete
- apic catalogs:clear
- apic spaces:delete
- apic spaces:clear
- apic consumer-orgs:clear
- Logging in to the API Connect user interfaces fails when using the Safari web browser
- If you are using the Safari web browser and a Basic Authorization header exists for the same DNS domain in which API Connect is running, attempts to log in to the API Connect user interfaces, or to sign up by using an activation link, fail. To avoid this problem, use an alternative web browser.
- Endpoints cannot be changed by using APICUP after they have been configured in Cloud Manager
-
The changing of endpoints with APICUP after they have been configured in Cloud Manager is not supported. Any such endpoint changes will not be propagated to a running deployment.
- If the name of an API is changed, Products that contain the API fail to publish
- If you change the
x-ibm-name
field of an API in the Source tab, or you change the Title field of an API in the Design tab, thereby causing thex-ibm-name
field to be updated, any Products that contain the API fail to publish because the API name reference in the Product is not updated. To resolve this problem, open the Source tab for the Product and update the APIname
references to match the new name. - If an API is deleted from a Product, it is not deleted from Plans in the Product
- If an API is deleted from a Product, it is not deleted from any Plans in the Product that contain that API. After deleting an API from a Product you must manually delete the API from any Plans to which it was previously added.
- The apicup utility appears to hang after executing a backup or restore command
- On Version 2018.4.1, the
apicup
utility might appear to hang after you run abackup
orrestore
command. You can verify thatapicup
is still running, or succeeded:- For a backup command, such as
apicup subsys exec backup
:- Verify that the backup job is created. Enter
kubectl get jobs -n <namespace>
and verify that the job successful status is1
. - Verify that the backup pod is created. Enter
kubectl get pods -n <namespace> -a
and verify that the pod status is either still running or completed.
- Verify that the backup job is created. Enter
- For a restore command, such as
apicup subsys exec restore
:- Verify that the restore job is created. Enter
kubectl get jobs -n <namespace>
and verify that the job successful status is1
. - Verify that the restore pod is created. Enter
kubectl get pods -n <namespace> -a
and verify that the pod status is either still running or completed.
- Verify that the restore job is created. Enter
- For a backup command, such as
- Unenforced APIs are not supported in the user interfaces
- The setting of the Enforced API option to false, meaning that the API is to run on a gateway other than an API Connect gateway, is not currently supported in the API Designer or API Manager user interfaces. Attempts to publish, from the user interfaces, a Product that contains a non-enforced API will fail. To publish such a Product, use the developer toolkit CLI, or the REST APIs.
- The API Designer user interface cannot be used with an OIDC user registry
- You cannot use an OIDC user registry for logging in to the API Designer user interface. Either configure a non-OIDC registry for API Designer use, or use the equivalent capability in the API Manager user interface.
- API Designer limitation when running on IBM Cloud
- API Designer cannot establish a connection to the management server in order to create a cloud connection when the management server is running on the IBM Cloud platform.
- Terms of use cannot be enforced for OIDC Developer Portal users.
-
You can configure terms of use for users of the Developer Portal so that the user must accept the terms and conditions before they can register or log in. This feature does not work if the user is using OIDC.
For more information, see Forcing new users to accept terms and conditions.
- An OAuth provider fails if the resources that it references aren't enabled in the Catalog
- If you enable an OAuth provider in a Catalog then any resources that it references, such as API user registries or TLS client profiles, must be enabled in the same Catalog; if not, then although the OAuth provider might publish successfully it will fail at run time. For information on enabling resources in a Catalog, see Creating and configuring Catalogs.
- API Connect does not support resizing storage capacity or modifying storage class of the Cassandra database
- If you updated
cassandra-volume-size-gb
orstorage-class
in apiconnect-up.yml prior to upgrading the management server, the upgrade completes successfully but the Cassandra servers are not upgraded. You can correct this problem by following the troubleshooting steps in Upgrading in a Kubernetes environment.