Version 10.0.1.x known limitations
This page describes known limitations for IBM® API Connect Version 10.0.1.x.
- You cannot upgrade to API Connect 10.0.6.0 or later from any version of 10.0.1.x
- A direct upgrade from any version of 10.0.1.x to API Connect 10.0.6.0 or later is not supported. You must upgrade to 10.0.5.x as an interim step before upgrading to 10.0.6.0.
- Image host changing from docker.io to icr.io
- API Connect is changing product image hosting services from docker.io to icr.io. API Connect images on docker.io are available but are subject to Docker rate-limiting terms after Dec 31, 2022. To prevent rate-limiting issues, complete the steps in OpenShift: Updating ImageContentSourcePolicy to mirror API Connect images from icr.io.
- New ibm-apiconnect-operator pod fails to start due existing terminating ibm-apiconnect-operator pod holding lock
- The IBM API Connect
operator uses leader election (leader-for-life) to ensure that only one operator/controller pod is
running/active at a time. This relies on Kubernetes garbage collection to clean up the lock when the
old operator pod is deleted. The new ibm-apiconnect operator pod fails to start if an existing
terminating ibm-apiconnect operator pod is still holding the lock.
If you suspect you are encountering this issue, verify it by running the following command:
kubectl -n <namespace> logs <new-ibm-apiconnect-pod-name> | grep "LockOwner"
If the lock is the problem, the log contains a message similar to the following example:
existing lock","LockOwner":"ibm-apiconnect-xxxxxx held by terminating pod
Resolve the issue by completing one of the following options:
- Force delete the terminating pod by running the following command:
kubectl -n <namespace> delete pod <terminating-ibm-apiconnect-pod-name> --force --grace-period=0
Kubernetes deletes the lock when the pod is deleted.
- Remove the lock manually by running the following
command:
kubectl delete cm ibm-apiconnect-lock
- Force delete the terminating pod by running the following command:
- API Designer might hang while activating a large imported API
- When you import a large API using API Designer and attempt to activate the API in the import
wizard, the process might hang. If you encounter this issue, you can work around the problem by
completing the following steps:
- On your local file system, locate the autoproduct file called API-NAME-auto-product_API-VERSION.yaml.
- Delete the file.
- In API Designer, edit the newly imported API and activate it by clicking the Online toggle.
In general, it is best practice to activate an API using the Online toggle or by publishing the API with the Publish option.
- API Designer on Windows: APIs that use WSDL might encounter errors, or fail to activate, publish, or update.
- If you activate, publish, or update a REST or SOAP API that uses a WSDL file, the operation might fail and never complete. Work around the issue by using the autopublish API feature in the API editor.
- Analytics UI does not correctly display data if the URL includes catalog names instead of catalog IDs.
- The Analytics UI does not correctly display data if the URL includes catalog names instead of catalog IDs. Work around this issue by navigating to the Manage Catalogs page, selecting the catalog, and then returning to the Analytics page to view the data.
- Test tab does do not support Catalogs with Life Cycle or Production mode enabled
- The Test tab does do not support Catalogs with Life Cycle or Production mode enabled; however there are sme cases where the selection of those unsupported catalogs is not disabled. When you save test preferences that use an supported Catalog, you will encounter errors when you activate the API.
- API Designer on Windows: API Designer slow to update after canceling a Product edit
- When running API Designer on Windows, canceling an edit to a Product property (without saving the changes) sometimes results in a delay before the user can edit the Product again. Work around this issue by either minimizing API Designer application window once, reloading the Product page, or returning to the Products list page and selecting the Product again.
- Permission restrictions in the API Designer UI
- The API Designer UI
currently has the following permission restrictions:
- Developers that have been given only View permissions cannot see the Test tab in the API editor. For developers to be able to see the Test tab, they must be given a different permission level. For information about the default permission levels available, see API Connect user roles.
- Users with API-Drafts permissions, but who don't have any Sandbox Catalog permissions, cannot see the Test preferences in the Sandbox Catalog. For these users to be able to see the Test preferences, they must be given the Developer or Administrator role on the Sandbox Catalog.
- Deleted security requirements might remain in the API source
- Security requirements that are deleted from APIs in the API Designer and API Manager UIs, might still remain in the source. To work around this issue, click the Source icon in the API editor, and manually remove the security requirements.
- Sometimes the completion of an SFTP restore on the Management subsystem does not restore the actual data.
- There is a known issue where sometimes a restore from the Management subsystem's SFTP backup succeeds but the data is not restored. If this happens, run the restore again.
- Customized application view is reset to the default after upgrade if forums are also disabled
- When upgrading API Connect version 10.0.1.8
or earlier to version 10.0.1.9 or later, if you have disabled forums on your Developer Portal
site, and you have customized the application view, the customized application view will be reset to
the default after the upgrade. To work around this issue, you can save the customized application
view before running the upgrade, and then import the view into the upgraded Developer Portal.To save the customized application view, run the following commands:
Wheremkdir /tmp/tmp_config_<site-alias> drush @<site-alias> config-get views.view.applications > /tmp/tmp_config_<site-alias>/views.view.applications.yaml
<site-alias>
is the alias of your Developer Portal site.To import the saved view after the upgrade, put the views.view.applications.yaml file inside a directory where it's the only file, and then run the following command:drush @<site-alias> config-import --partial --source=/tmp/tmp_config_<site-alias>/
- Upgrading from versions older than 10.0.1.6 fails if the
backrestStorageType
property is null - Upgrading API Connect from versions older than 10.0.1.6 might fail during
the operator upgrade step if the
backrestStorageType
property in the pgcluster CR is set (or defaulted) to null. For instructions on correcting the problem, see Troubleshooting installation and upgrade on OpenShift. - Cannot add comments to APIs by using the Source view in the API Designer and API Manager UIs
- Comments cannot be added to APIs in the API Designer and API Manager UIs by clicking the Source icon , and using the hashtag symbol.
- Stale cache can result in unexpected behavior in the Cloud Manager and API Manager UIs
- Having a stale cache in your browser can result in unexpected behavior in the Cloud Manager and API Manager UIs, such as fetch
errors, incorrect data being displayed, and blank pages. To work around this issue, particularly if
you have just upgraded your deployment, complete the following actions:
- Reload the browser window.
- If there is still an issue, clear the browser cache and then log back in to the UI.
- Try using a private browser window.
- If possible, try a different browser type.
- The "Select compatible gateway services" option in Test Preferences results in an incorrect request URL in the Test tab
- In the Select compatible gateway
services and choosing a specific gateway results in an incorrect short-form URL being
supplied as the request URL when you test the API in the API Explorer or the Test tab.
Workaround: To avoid this problem, select the Use all compatible gateway services target gateway option instead.
setting, selecting - Options menus in the Catalog might be hidden
- In a Catalog, in any of the different tabs such as Consumers, or Subscriptions, when clicking on the options icon the menu items might be hidden. To work around the issue, reload the page and the menu items will appear.
- Override plan rate limits are not displayed in the Endpoint tab
- Any override plan rate limits that have been added to your API for individual operations are not displayed in the API Endpoint tab in the UI. Only the plan rate limit is displayed.
- Updates to members in the UI might not automatically refresh
- Updates to members in the Cloud Manager and API Manager UIs might not automatically refresh. However, you can click the Refresh icon to manually refresh your browser.
- Making an API online with your own test preferences might not activate the API
- When editing an API, if you use the activation slider control to bring it
Online with your own test preferences for the Target
catalog, Target product, Target plan, and
Test application, the slider control might not change to
Online, and there might not be any error message.
To work around the issue, check if the application already has a subscription to a different Plan in the same Product, as the test application can subscribe to only one Plan per Product. Then, either delete the additional subscriptions, or select a different Test application, and bring the API online again.
- Approval links in emails might point to the wrong Catalog when multiple Catalogs have the same name.
- If multiple provider organizations use the same name for a Catalog with the life-cycle enabled,
then approval links in emails might point to the wrong Catalog. When user clicks the link, the
Catalog does not display any Products or approval requests in the Task tab.
You can work around the incorrect link by clicking Manage and selecting the correct Catalog.
- API Designer shows incorrect validation errors regarding missing API properties for OpenAPI v3.0 APIs
- Example validation error:
should not have additional property 'openapi'
. These incorrect validation errors have no impact on the API, so users can ignore these errors and still execute all operations on the API including staging and publishing. - Unable to publish a non-enforced API using a new product
- When a user tries to publish a non-enforced API through the publish wizard and
selects a new product, then when they select a catalog, the warning message "Catalog is incompatible
with the gateway type specified in the API or product" displays even though the operation should be
allowed.
Work around: Either edit the new product, specify a gateway for the product, and then publish the API, or use an existing product to publish the API.
- You cannot install a "standalone" API Connect deployment on an OpenShift cluster where Cloud Pak for Integration is present
- If an OpenShift cluster has Cloud Pak for Integration installed, then all API Connect deployments on that cluster are considered to be part of the Cloud Pak for Integration deployment, which will attempt to integrate with the standalone API Connect deployments.
- Analytics ingestion fails when message queue is enabled and the payload size exceeds the message size limit for the message queue
- By default, the Analytics message queue has a limit of 5 megabytes (5242880 bytes) for the message size. If you enable payload activity logging, then large API request or response payloads might require a higher limit to avoid problems with analytics data ingestion. If you encounter a message like the following example, you can increase the message size limit as explained in Overriding size limits for message queue (Kubernetes, OpenShift, or Cloud Pak for Integration) and Overriding size limits for message queue on VMware (VMware).
- Consumer rate limit notifications are not available in Version 10
- The ability to configure notifications for applications so that API consumers are alerted when the usage of an API is nearing its rate limit is not available.
- A secret fails to update because cert-manager Version 0.10.1 is incompatible with Kubernetes Version 1.20 or later
-
Your pods do not go ready and you are using cert-manager certs and Kubernetes Version 1.20 or later, or OVAs as they are Kubernetes Version 1.20. To work around this limitation, check your cert-manager certs to see if any of them show
False
in theREADY
column, for example:
If they do show as$ kubectl get cert <portal-server> NAME READY SECRET AGE portal-server False portal-server 4m46s
False
, delete the corresponding secret by using thekubectl delete secret
command. The cert-manager is then able to create a new secret. - If an API is published by using the auto-publish toggle, the Visibility and Subscribability of the Product always defaults to Public and Authenticated, respectively
- When testing an API and using the auto-publish toggle to make the API Online, the Visibility and Subscribability of the draft Product will always default to Public and Authenticated, respectively, instead of what is set in the draft Product.
- Viewing multiple dashboards in a non-incognito browser is not supported
- Either an incognito (private) browser tab or a separate browser instance is required for viewing dashboards in multiple Analytics services simultaneously.
- Workaround required to enable log rotation on VMware
- On VMware deployments, there is a known limitation which prevents the log rotation feature from working correctly. The limitation can cause syslog to grow very large and consume all available disk space. To workaround this problem, see Workaround to enable log rotation
- Workaround required when switching deployment profile after upgrading to 10.0.1.5-eus
- After installation, you can
optionally switch deployment profiles, such as when scaling up from a development profile to a
production profile. If you upgraded to Version 10.0.1.5-eus from a previous version of API Connect,
and you then choose to switch profiles, you must first perform a workaround to patch role secret to
add permissions.
The workaround is included in the switch profiles steps for your deployment type:
- Kubernetes: Switching deployment profiles on Kubernetes
- VMware: Switching deployment profile on VMware
- OpenShift: Switching deployment profiles on OpenShift
- Cloud Pak for Integration: Changing the deployment profile on Cloud Pak for Integration
- Problems when you activate an API from API Designer in the wizard flows on Mac and Windows
- When you create APIs using any wizard flow and click Activate
API, the following error might display:
Cannot read property 'id' of undefined
. This error can be ignored. To activate the API, edit it and set the activation toggle to Online.If you don't see an error message but suspect there is a problem, check the Product in API Manager to make sure it has a subscription. If there are no subscriptions, create one manually. This will activate the API and set it online. Then, when you view the API in API Designer, the status will be updated to show the API as Online.
- 404 error when resending an invitation link after the user registered with API Connect
- If you send an invitation to a user and the user registers with API Connect using
Keycloak, the invitation status is not refreshed until you refresh the page. If you think the
invitation is Pending and re-send it after the user registered, the link will no longer be valid and
you will see a 404 error.
You can avoid the error by manually refreshing the page to verify the invitation status before re-sending it.
- A non-enforced API that uses WSDL cannot be published if the
x-ibm-configuration.gateway
value is set - After renaming or creating a new version of a WSDL-REST or WSDL-SOAP
non-enforced API, you might see the
x-ibm-configuration.gateway
value set todatapower-gateway
ordatapower-api-gateway
. This setting is not supported for non-enforced APIs and will prevent the API from being published.The workaround is to edit the API definition's YAML file and remove the
x-ibm-configuration.gateway
setting. - Products should reference APIs with the default generated labels
- If you change the API reference label in a Product to something other than the
default generated label, then the next publish will create duplicate copies of the APIs within that
Product.
The workaround is to edit the YAML file containing the Product definition and remove the duplicate entries.
- Working with an active GraphQL subscription in multiple browser tabs at the same time is not supported
- If you create a GraphQL API that supports subscriptions, set it online, and attempt to work with it in multiple browser tabs at the same time, then terminating the subscription in one tab results in problems because subscriptions in other tabs can't be terminated properly.
- Configuration update mistakes cause admission webhook errors in OpenShift and Cloud Pak for Integration
- In OpenShift and Cloud Pak for Integration, configuration update errors can cause the
APIConnectCluster
instance to go into the Pending state with an underlying component throwing an admission webhook error.oc get apiconnectcluster -n APIC_namespace NAME READY STATUS VERSION RECONCILED VERSION AGE m1 admission webhook "vmanagementcluster.kb.io" denied the request: ManagementCluster.management.apiconnect.example.com "m1-mgmt" is invalid: [spec.databaseBackup.restartDB.accept: Invalid value: false: databaseBackup protocol has changed (from '' to 'objstore') and requires database restart. accept restartDB to restart database, spec.databaseBackup.restartDB.accept: Invalid value: false: databaseBackup configuration has changed and requires database restart. accept restartDB to restart database] Pending 10.0.1.5-3388-eus 10.0.1.5-3388-eus 2d6h
- The 'strict' SameSite cookie causes incorrect invitations to consumer orgs
- Using the 'strict' SameSite cookie might cause invitation links from emails to
send users to a registration page where they are asked to create a new consumer organization instead
of joining the organization they were invited to.
The workaround is to using the 'Lax' SameSite Cookie attribute.
- Multiple gateways not supported in Test tab
- If you have multiple gateways associated with a catalog, only one gateway endpoint displays in the selection list for the GET field on the Test tab, and you can only test the API with the listed endpoint.
- Extended sessions might result in page refresh issues
- If you stay logged in to API Connect for an extended period of time, you might experience an issue with the page failing to load properly after a refresh. To resolve the issue, log in to API Connect in a new browser session.
- Analytics data might not show with DataPower API Gateway after upgrading from V2018
- Following an upgrade from V2018, analytics data might not appear when using
the API Gateway. To restore the flow of analytics data, unassociate and then re-associate the
analytics service with the gateway. For more information, see Associating an
analytics service with a gateway service.
The v5-compatible gateway does not experience this limitation.
- Analytics UI might display an error after upgrading from V2018
- After an upgrade from Version 2018 to Version 10, the Analytics UI might fail
to render in API Manager and display an error similar to the following example:
To resolve the error, follow the instructions in Troubleshooting Analytics start-up.
- Performance impact when publishing products from API Designer
- When you publish a product from API Designer and have 10 or more catalogs available, you might experience a performance degradation.
- Limitations to the OpenAPI 3.0 support
- IBM API Connect supports the OpenAPI 3.0 specification, with some limitations. For information about what is supported, see OpenAPI 3.0 support.
- Upgrading the Management subsystem from 10.0.1.4-ifix1-eus requires additional down-time
- When you upgrade from the Management subsystem 10.0.1.4-ifix1-eus to 10.0.1.5-eus, expect the process to take longer than in previous upgrades and result in additional down-time for the Management subsystem.
- API Manager and API Designer do not always sync automatically
- Changes made in one application do not always display immediately in the other application. For example, if you modify a product in API Designer and publish the update, the change might not show up immediately in API Manager. If your update does not show, try refreshing the page.
- A GraphQL API that contains a
graphql-input-type-cost
rate limit fails to publish - A GraphQL API created in releases
earlier than IBM API
Connect
Version 10.0.1.4-eus might contain a
graphql-input-type-cost
rate limit, which is no longer supported. If you attempt to use the automatic activation mechanism to publish the API, or manually add the API to a Product and attempt to publish that Product, the publish operation will fail. You can resolve this problem in either of the following ways:- Remove the rate limit definition from the OpenAPI source for the API. For example, if the source
is in YAML format, remove the following lines:
- name: graphql-input-type-cost operation: consume
- Edit the source for the Product and define a
graphql-input-type-cost
rate limit in all of the Plans that include the API.Note: You can edit only a manually created Product, not a Product that is generated by the automatic activation mechanism.
- Remove the rate limit definition from the OpenAPI source for the API. For example, if the source
is in YAML format, remove the following lines:
- Upgrading a 3 node profile to IBM API
Connect 10.0.1.4-eus might
result in some
portal-db/www
pods being stuck in thePending
state - IBM API
Connect 10.0.1.4-eus
introduces the pod anti-affinity required rule, meaning that in a 3 node profile deployment, all 3
db
andwww
pods can run only if there are at least 3 running worker nodes. This rule can cause some upgrades to version 10.0.1.4-eus to become stuck in thePending
state. To resolve this issue, see one of the following workarounds:- On a Kubernetes deployment: Troubleshooting upgrades on Kubernetes
- On an OpenShift deployment: Troubleshooting installation and upgrade on OpenShift
- On a VMware deployment: Troubleshooting upgrades on VMware
- Update WSDL option is not supported in the API Designer UI
- The Update WSDL option to update the configuration of an existing SOAP API from a WSDL file or a .zip archive, is supported only in the API Manager UI, or by using the developer toolkit. This option is not supported in the API Designer UI.
- A unique email address is required for all Developer Portal accounts
- Remember that every account in
the Developer Portal,
including across different user registries for the same site, must have a unique email address,
including the site Admin account. The default email address for the Admin account is the email
address of the Catalog owner. It is not possible to create a Developer Portal user
account (and associated consumer organization) with the same email address as the Admin account (or
that of the Catalog owner if their email address is different). Any attempts to create an account
with the same email address results in the new account not functioning correctly, and returning the
following error message when trying to log in to the Developer Portal:
A user already exists with this email address
.For example, if you configure three different user registries for a particular Developer Portal site, the email address alice@acme.com can be used to log in to the site from only one of the user registries.
- A Product republish, with the Preserve Subscriptions option, fails after a consumer organization group has been removed from the visibility settings
- If you remove a consumer organization group from the custom visibility settings for a Product, and that group contains a consumer organization with an application that is subscribed to the Product, an attempt to republish the Product with the Preserve Subscriptions option will fail even if that consumer organization is then added to the custom visibility settings individually.
- Upgrade issue on OpenShift and Cloud Pak for Integration
- If you upgrade from IBM API
Connect Version 10.0.1.0-eus
directly to 10.0.1.x-eus on OpenShift, you will encounter a known problem with
the
API Connect operator
. During the upgrade, theAPI Connect operator
will be stuck in the "Upgrade available" state as shown in the following image:In addition, the
catalog-operator
in theOLM
namespace will throw the following error:sync "< namespace >" failed: found more than one head for channel
You can work around the error by completing the following steps:
This workaround will not have a downtime impact.- Delete the following operators:
DataPower operator
,Common services operator
, andibm-apiconnect operator
. - Re-install the
ibm-apiconnect operator
.
- Delete the following operators:
- You cannot log in to API Designer from Windows by using a Facebook registry.
- If you try to log in to API Designer with a Facebook user registry, a new window opens with a blank page, and you cannot progress any further. This happens when you use Windows only.
- When checking cluster health on VMware, harmless warning messages might be returned
- On Version 10.0.1.2-eus on
VMware, the command
apicup subsys health-check
may return some warning messages. The warnings are harmless and can be ignored. The warnings occur because the CRD version for some Kubernetes resources has been deprecated, but the resources have not been removed so are still supported. For details, see Checking cluster health on VMware. - An existing user cannot be added to a Space
- If you attempt to add an existing user
to a Space, the operation cannot be completed because the Create button is
not enabled. Instead, use the invitation mechanism. For details, see Managing Space membership.Note: The invited user must use the Sign in option on the activation form, rather than completing the registration details and using Sign up.
- Adding an
operation-switch
policy to an API assembly produces an incorrect warning message - If you add a Version 2.0.0
operation-switch
policy to an API whose gateway type is DataPower® API Gateway, the API Setup page on the Design tab displays an incorrect warning stating that the policy is not valid for the gateway type. This warning message can be ignored. - Simultaneous editing of the same API by multiple users might result in changes being overwritten
- If one user saves changes to an OpenAPI 3.0 API, another user who has the same API open in the API editor might have their changes overwritten.
- An API developed for IBM API
Connect Version 2018.4.1 that
uses an
apim.getvariable('message.body')
function call fails in IBM API Connect Version 10 - With the DataPower API
Gateway in IBM API
Connect Version 2018.4.1, the
type of object returned, for XML payloads, by an
apim.getvariable('context_name.body')
function call in a GatewayScript policy in an API assembly depends on how the variable is stored in the gateway context, as follows:- If the variable is stored as a Buffer (because the variable data was written as an XML string),
an XML Nodelist is returned provided that
contextname.headers.content-type
is an XML type. - If the variable is stored as a parsed XML Document (because the variable data was written as parsed XML, either as an XML document or an XML Nodelist), an XML document is returned.
With the DataPower API Gateway in IBM API Connect Version 10 however, the same function call always returns an XML Nodelist provided that
contextname.headers.content-type
is an XML type. Therefore, such an API developed for Version 2018.4.1 will fail in Version 10 if it is configured to expect an XML document, and will need to be reconfigured appropriately.The problem does not occur with such an API migrated from IBM API Connect Version 5 because, with that release,
apim.getvariable('context_name.body')
also returns an XML Nodelist for XML payloads, nor does it occur if you are using the DataPower Gateway (v5 compatible).context_name
could bemessage
,request
, or the name of the output from aninvoke
policy. - If the variable is stored as a Buffer (because the variable data was written as an XML string),
an XML Nodelist is returned provided that
- Validate policy limitations when GraphQL response contains a GraphQL server error
- When a GraphQL response contains a GraphQL server error and no
data, the assembly Validate policy generates an error on the missing data and overwrites the
payload. When the response contains partial data and an error, the assembly Validate action
validates the data and overwrites the payload. To work around this limitation, use the condition
$not($exists(message.body.errors))
in an assembly switch condition to skip the assembly Validate policy when the response contains errors.
- S3 backup type must be specified when configuring S3 backups on CP4I Platform Navigator or OpenShift Form UI
- When you configure S3 backups for the Management subsystem, you must specify an S3
backup type of
ibm
oraws
. The graphical user interfaces for Cloud Pak for Integration and for OpenShift incorrectly state the specification of S3 backup type is optional. In the CP4I Platform Navigator, or the OpenShift Form UI, when you configure Management System > Database Backup, be sure to select the S3 provider type menu and specify a supported value. For more information see Configuring backup settings for fresh install of the Management subsystem (10.0.1.1-eus or later) and the Database Backup table in the Management subsystem section of IBM Cloud Pak for Integration. - A management backup remains in a
Pending
state - A management backup might remain in a
Pending
state for a long period of time, particularly after having upgraded the management subsystem. To resolve this problem, you must remove the pending backup and operation lock, and then re-run the backup CR. To remove the pending backup and operation lock, complete the following steps: - GraphQL API test fails when the generated example query contains variable definitions
- If, when testing a GraphQL API
in the Test tab, you use the Example dropdown menu to
generate a Small, Medium, or
Large query, and the generated query contains variable definitions, those
variables are not added to the HTTP request, which then fails with the following
error:
Parser failed with error: syntax error, variables type is neither a JSON object nor null.
To resolve this problem, modify the query to remove the variable definitions before re-sending the HTTP request.
- Changes to parameters in an API definition aren't reflected on the Test tab
- If you add or remove parameters in an API definition on the Design tab and then open the Test tab, the changes might not be reflected immediately. If you are using the API Manager user interface, either restart the browser or clear the browser cache and cookies, if you are using the API Designer user interface, restart the application. Then reopen the Test tab in the API definition.
- An OpenAPI definition that contains regular expression syntax fails validation
- IBM API
Connect supports the GO regular expression
syntax. When you import an OpenAPI definition into the API Designer or API Manager user interfaces, or
validate one with the
apic validate
, the validation will fail if the OpenAPI source contains unsupported regular expression syntax, with errors that includeDoes not match format 'regex'
; for example:- Must validate at least one schema (anyOf) (context: (root).paths./example/types.post.parameters.0.schema.properties.items, line: 0, col: 0) - Must validate one and only one schema (oneOf) (context: (root).paths./example/types.post.parameters.0, line: 46164, col: 21) - paths./example/types.post.parameters.0.schema.properties.items.properties.pattern Does not match format 'regex' (context: (root).paths./example/types.post.parameters.0.schema.properties.items.properties.pattern, line: 0, col: 0)
- During migration, the
archive:unpack
fails to find an OAuth provider - When migrating API Connect to Version 10,
the
archive:unpack
command might generate a warning like the following:WARN[2020-06-04T09:29:54-04:00] Leaving a placeholder OAuth Provider which must be replaced in draft API <api name>: Unable to find an OAuth Provider to extract from Token URL or Authorization URL <api token/authorization URL> with basePath /<base path> and scopes <scope list>.
A possible cause is that an OAuth provider matches the API path but is missing the necessary scopes. To resolve this problem, complete the following steps:
In addition, if the OAuth Provider references a user-registry in auser-security
section, and this user-registry is not specified in thecloud/provider-orgs/<provider_organization_name>/catalogs/<catalog_name>/configured-api-user-registries
folder, then add an entry of the following form to ensure that the user-registry is pushed to the Catalog:api_version: 2.0.0 name: name://../../../user-registries/<user_registry_name>/user-registry.yml type: configured_api_user_registry user_registry_url: file://../../../user-registries/<user_registry_name>/user-registry.yml
- The migration of a user registry fails
- When migrating API Connect to Version 10, a
user registry might fail to be pushed to the API Manager with errors like the
following:
ErrorLog2020-06-02T08:35:37-04:00.log:ERRO[2020-06-02T08:36:07-04:00] unable to create User registry <user registry name> ErrorLog2020-06-02T08:35:37-04:00.log:ERRO[2020-06-02T08:36:07-04:00] orgldap: An error occurred communicating with the ldap server at 'ldaps://<ldap-address>' (error: 'Error: self signed certificate in certificate chain').
To workaround this problem, for any artifacts, such as APIs or OAuth providers, that reference this user registry in their User Security section, replace the user registry with one that has been successfully migrated.
- The migration of an OAuth provider push fails due to a missing TLS client profile ID
- When migrating API Connect to Version 10,
an OAuth Provider might fail to be pushed to the API Manager with an error like the
following:
and subsequently an error like the following:unable to create Oauth provider <provider name> <provider name>: The expected path parameter 'tls-client-profile-id' is missing from the request URL.
unable to create Configured oauth provider <provider name> <provider name>: The 'oauth_provider_url' property value '/api/orgs/<org>/oauth-providers/<provider name>' does not refer to a known Oauth Provider.
This is caused by an OAuth provider containing a custom HTML form in one or more User Security sections that specifies an
ei-custom-form-tls-client-profile
or anaz-custom-form-tls-client-profile
.To resolve this problem, use the default TLS client profile by specifying a value of
''
. - When scaling down a Kubernetes cluster of DataPower gateways, the cluster might enter an unrecoverable state if the peering primary instance is lost
- If you are scaling down a Kubernetes cluster of DataPower
gateways, you must first complete the following steps to ensure that the peering primary instance is
not lost:
- Incorrect UI behavior if API changes are not saved before creating a new API version
- If you make changes to an API definition and then attempt to create a new API version without first saving your changes, you are not prompted to save your changes until after you have completed the new version creation operation. If you click OK in the prompt, your new version is created but your original changes are lost; to create your new version and retain your original changes, you should click Cancel in the prompt, then click Save to save your original changes.
- Truststore and keystore settings in a shared TLS client profile are not reflected in API Manager
- If you create a shared TLS client profile in the Cloud Manager user interface and assign a truststore and a keystore, these truststore and keystore settings are not reflected in that TLS client profile in the API Manager user interface and cannot be set there. Furthermore, the TLS client profile list views display the value shared for the truststore and keystore rather than the correct values. To workaround this problem, create the truststore, keystore, and TLS client profile separately for each provider organization in the API Manager user interface, then enable the TLS client profile in your Catalogs as required.
- An invited Space owner cannot work with consumer organization groups
- If you enable Spaces in a Catalog and invite a user with Space Owner permission, the invited user cannot create, edit, or manager consumer organization groups, and cannot add consumer organizations to an existing consumer organization group.
- Login to the Cloud Manager or API Manager user interfaces might fail with error 431 if the browser has a large number of cookies
- Attempts to login to the Cloud Manager or API Manager user interfaces might fail if the HTTP header or cookie size is larger than 16 KB, a limitation that is imposed for security reasons. To resolve this problem, either clear the browser cache and cookies, or open a private window, then retry.
- The
apic cloud-settings:topology
command doesn't return a topology object - If you use the
apic cloud-settings:topology
command without a--format
parameter, it returns only the stringCloudTopology
rather than the cloud topology. To retrieve the topology object, include the--format
parameter, with a value of eitheryaml
orjson
as required. - The
apic cloud-settings:mail-server-configured
command response is incorrect - If you use the
apic cloud-settings:mail-server-configured
without a--format
parameter, it returns only the stringMailServerConfigured
rather than a boolean value to indicate whether an email server has been configured in the cloud settings. To retrieve the correct response, include the--format
parameter, with a value of eitheryaml
orjson
as required. - API Designer user interface might not open correctly if there are badly formed OpenAPI YAML files in the startup directory
- If, when launching the API Designer user interface, the
startup directory that you select contains one or more badly formed OpenAPI YAML files, the
interface might fail to load correctly, with an error such as the
following:
Cannot read property 'type' of null
To resolve this problem, remove any invalid OpenAPI YAML files from the startup directory, then restart the API Designer user interface.
- Pagination setting is global across the API Connect user interfaces
- If you set the Items per page value on any page in either the Cloud Manager or API Manager user interface, that setting is then applied to all pages in both user interfaces in the same browser session. If you want to set the value separately for a specific page, open it in a private browser window. Such a setting in a private browser window is specific to that window and is lost when the window is closed.
- Refresh tokens are not supported in the API Manager or API Designer user interfaces with an OIDC registry
- The use of refresh tokens is supported in API Manager, API Designer, the Developer Portal, and the toolkit CLI, provided that the user logs in with a non-OIDC Provider user registry. If the registry type used for user login is OIDC, then refresh tokens are not supported in API Manager or API Designer. For more information, see Specifying cloud settings for refresh tokens.
- Setting resource limits in Kubernetes can cause containers to behave oddly at run time
- In Kubernetes, you can set resource limits for each container. However, limiting CPU means that the container processes might slow down if they try to use too much. Limiting memory means that the Kubernetes code kills processes that try to allocate memory that would take the container over its limit. These limits can result in odd behavior such as the containers continually trying to start a daemon process, such as nginx or node, and exiting with success immediately.
- Field validation for the Client security policy is incorrect
- When configuring a Client Security policy in an API
assembly in the API Designer
or API Manager user
interfaces, there is the following incorrect validation behavior:
- The ID Name field is required, but the API definition can be saved without entering a value in the field.
- The Secret Name field is required only when the Secret Required option is selected, but the user interface indicates that the Secret Name field is required regardless. Furthermore, when the field is required, the API definition can be save without entering a value.
- If the Authenticate Client Method is set to Third party, the User Registry Name field is required, but the API definition can be saved without entering a value in this field.
- Requests that take longer than the value of the nginx timeout cause a 409 error
-
Requests that take longer than the value of the
nginx
timeout can cause a 409 error, such as:
The error occurs because the ingress controller is sending a repeat request when the previous one timed out. Your request will still continue processing in the background.Another request is operating on portal-subsystem-03729230-4df7-4419-94c9-e7691b616382 with the same name, please try again.
- Adding members to a provider organization might fail
- When adding members to a provider organization, the Cloud Manager user interface lists the current owner and members as well. If existing members are selected, the add action will fail.
- Upgrading with new certificates breaks analytics ingestion
- If the analytics subsystem certificates are modified after installation (by using the apicup certs set command , followed by the apicup install command to deploy the change to the cluster), the analytics ingestion ingress will no longer be recognized by the Gateway. The analytics service must be re-registered in the Cloud Manager interface so that the new certificates are recognized.
- Users are not logged out of the user interfaces after tokens expire
- If an API Manager or Cloud Manager user interface session times out, the user does not get redirected to the login page and might see an error. To redirect to the login page, refresh the browser window.
- User interfaces are not supported in Microsoft Edge
- The API Manager and Cloud Manager user interfaces are not supported in the Microsoft Edge web browser. To work in the user interfaces, use a different browser.
- New gateways cannot connect to existing gateways after the gateway peering certificates are changed
- Changing the gateway peering SSL certificates after gateway installation causes new gateways to be unable to connect to existing gateways, resulting in an outage. A full restart of the gateway StatefulSet (by deleting all the StatefulSet pods) is required for the gateways to come back online.
- Changes to an OAuth provider are not reflected in the consuming APIs
- If you modify the endpoints, scopes, or grants for an OAuth provider, the APIs that consume that OAuth provider will be affected. You might need to update the consuming APIs accordingly.
- No option to bulk delete APIs or Products
- In the API Designer and API Manager user interfaces, there is currently no option to delete multiple APIs or Products in a single operation; in the user interfaces, APIs and Products must be deleted individually. However, you can bulk delete APIs and Products by using the REST API or CLI interfaces.
- Cannot publish an imported API that was generated with IBM API Connect Version 5.0 LoopBack®
- If
you import an API YAML file that was generated with IBM API Connect Version 5.0
LoopBack, attempts to
publish the API fail. Before publishing, remove the catalogs section, and the invoke policy named
tls-invoke-profile
, from the YAML source of the API definition; for example:catalogs: apic-dev: properties: runtime-url: $(TARGET_URL) sb: properties: runtime-url: 'http://localhost:4001
- Can't publish an API that has duplicate security definition entries
- The API Designer and API Manager user interfaces allow you to add duplicate security definitions to an API. However, attempts to publish the API will fail with OpenAPI validation errors. Ensure that the security definitions in an API are unique.
- Kubernetes might excessively evict pods
- In Kubernetes, if insufficient memory, CPU, or
storage resources are provided then pods are evicted randomly. To avoid this problem, allocate
sufficient resources to the pods. In addition, there are known issues with log rotation in
Kubernetes that are documented here: https://github.com/kubernetes/kubernetes/issues/59902. The
lack of log rotation can cause logs to grow, limited only by the amount of storage on the node,
eventually causing pods to restart. Therefore ensure that appropriate log levels are configured for
all API Connect
components.
You may also follow the instructions described here https://success.docker.com/article/how-to-setup-log-rotation-post-installation to set the maximum size of the log before it is rolled (max-size) and the maximum number of log files that can be present (max-files). More information about the Docker JSON File logging driver is available here: https://docs.docker.com/config/containers/logging/json-file/.
- Logging in to the API Connect user interfaces fails when using the Safari web browser
- If you are using the Safari web browser and a Basic Authorization header exists for the same DNS domain in which API Connect is running, attempts to log in to the API Connect user interfaces, or to sign up by using an activation link, fail. To avoid this problem, use an alternative web browser.
- Endpoints cannot be changed by using APICUP after they have been configured in Cloud Manager
-
The changing of endpoints with APICUP after they have been configured in Cloud Manager is not supported. Any such endpoint changes will not be propagated to a running deployment.
- An OAuth provider fails if the resources that it references aren't enabled in the Catalog
- If you enable an OAuth provider in a Catalog then any resources that it references, such as API user registries or TLS client profiles, must be enabled in the same Catalog; if not, then although the OAuth provider might publish successfully it will fail at run time. For information on enabling resources in a Catalog, see Creating and configuring Catalogs.
- Redact conditions within
switch
,operation-switch
, orif
policies might not execute after converting to DataPower API Gateway -
If an API Connect v5-compatible
redact
policy is found within aswitch
,operation-switch
, orif
policy, the migration utility does not move theredact
policy to the beginning or end of the assembly. The difference in the response between API Connect v5 and DataPower API Gateway may prevent data from being redacted in the DataPower API Gateway.For example, if an assembly includes a
switch
policy containing four redact conditions followed by aninvoke
policy, each redact condition redacts the response data. After porting to the API Gateway, the redact conditions remain inside theswitch
policy and target themessage.body
property for redaction. These redactions fail to execute because themessage.body
property has not yet been retrieved by theinvoke
policy. To correct this problem, you must move theinvoke
policy before theswitch
policy in the assembly. - Redact on invalid XPath fails after converting to DataPower API Gateway
- A
redact
policy containing an XPath with a trailing slash is converted by the migration utilityapicm archive:port-to-apigw
command without removing the slash. This path is invalid. When the API containing this policy is called, anassembly redact
error is generated. - Analytics ingestion stability issue
- Analytics ingestion has a known stability issue when the message queue (MQ) is enabled. The events received by the Analytics subsystem from the Gateway might not display in the Analytics dashboard. This applies to fresh deployments, upgrading existing deployments, and also when switching the deployment profile from "development" to "production" while the message queue is enabled. To avoid these problems, ensure the message queue is disabled before making any changes to your analytics subsystem deployment. The message queue can be safely re-enabled once all updates to the analytics deployment have been completed.
- "Test" tab's Trace feature displays blank policies list in Firefox
- When you create an API, you can invoke it and debug its execution using the Test tab. The Test tab shows the API's response and includes a subtab where you can run a trace on the API's translation flow. In Firefox, the Trace tab's list of policies is empty. Use Chrome to debug your API so you can see the policies list in the trace.