20.02.03 - Apigee Edge for Public Cloud release notes

On Monday, March 2, 2020, we began releasing a new message processor version of Apigee Edge for Public Cloud.

New features and updates

Following are the new features and updates in this release.

JWT policies

  • JWT encryption

    The JWT policies let you generate, verify, and decode encrypted tokens. New elements on policies include:

    • <Type> - Lets you set whether the tokens are signed or encrypted.
    • <EncryptionAlgorithms> - Lets you set <Key> and <Content> encryption algorithms.

    (67165581)

  • Support for PSS algorithms in signed tokens

    The policies for generating and verifying JWT and JWS now support PS256, PS384, and PS512 algorithms, as described in IETF RFC 7518. (119856499)

  • GenerateJWT relative start time for token

    When generating a JWT with the GenerateJWT policy, the <NotBefore> element lets you specify a relative time between when a token is generated and it becomes valid. For example, a <NotBefore> value of 2h means a token isn't valid until 2 hours after it's generated. You can set <NotBefore> time in milliseconds (ms), seconds (s), minutes (m), hours (h), days (d), or weeks (w). (126261970)

  • Reference PublicKey/Certificate in VerifyJWT

    In the VerifyJWT policy, a <PublicKey> / <Certificate> element lets you reference the PEM-formatted certificate with which to verify incoming JWT signatures. For example:

    <PublicKey>
      <Certificate ref='public.certificate_pem'/>
    </PublicKey>

    (132918033)

HMAC policy

Apigee helps you ensure message integrity with the ability to calculate or verify a keyed message authentication code (HMAC) in an API proxy. An HMAC acts as a digital signature. The message sender can compute the HMAC with a secret key and a cryptographic hash function and send it to the target. If the target has the same secret key as the sender, it can use the same key and hash function to compute the HMAC for verification. A new HMAC policy lets you provide the secret key (through a variable) and cryptographic hash function like SHA-1, SHA-2 (224, 256, 384, 512) or MD-5 to produce an HMAC on a message or verify an HMAC received by the sender.

Following is a sample HMAC policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<HMAC name="HMAC-1">
    <Algorithm>SHA-256</Algorithm>
    <Message>abc</Message>
    <SecretKey ref="private.secretkey"/>
    <Output>hmac_value</Output>
    <!-- For HMAC verification, with an optional encoding attribute -->
    <VerificationValue encoding='hex|base16|base64' ref='expected_hmac_value'/>
</HMAC>

This release also includes an HMAC function to let you calculate an HMAC in a policy that supports message templates. (116157456)

Message template functions

Following are new message template functions available with this release:

  • firstnonull - Returns the value of the first (left-most) non-null argument. (139698514)
  • xpath - Lets you apply an XML Path (XPath) expression to parse XML variables. (123246424)
  • hmac - Lets you compute an HMAC on a message using the following format:

    hmac('cryptographic_hash',secretKey,valueToSign)

    For example:

    <AssignVariable>
        <Name>hmac_function</Name>
        <Template>{hmac('sha256',private.secretkey,valueToSign)}</Template>
    </AssignVariable>

    See the HMAC policy for more information about Apigee's HMAC functionality. (116157456)

AssignMessage policy: AssignVariable lets you reference a message template

In the AssignMessage policy, the <AssignVariable> / <Template> element allows a ref attribute, letting you inject a predefined template at runtime that can change without having to modify the policy. (118396082)

Multiple certificate aliases

When configuring TLS and using multiple certificates in a keystore, each with a different alias, Edge lets you reference specific certificate aliases in your <SSLInfo><KeyAlias> configuration. To enable this updated behavior, set a new HTTPClient.choose.alias.by.keyalias property to true in the http.properties file on message processors. Edge for Public Cloud users must contact Support to add this property. (142141620)

JSONtoXML policy: Omit the XML declaration, indent output

Two new boolean options in the JSONtoXML policy give you more control over the XML output.

  • <Options> <OmitXmlDeclaration> - When set to true (the default is false), the <OmitXmlDeclaration> element omits the default <?xml version="1.0" encoding="UTF-8"?> XML declaration generated by the policy.
  • <Options> <Indent> - When set to true (the default is false), the <Indent> element indents the XML output. For example, instead of this output:

    <Array><n>1</n><n>2</n><n>3</n></Array>

    The Indent element produces this:

    <Array>
     <n>1</n>
     <n>2</n>
     <n>3</n>
    </Array>

(65142394)

Responses for virtual host scanning

If a request was made to an Apigee endpoint's IP address (no virtual host specified), Edge returned an HTTP 200 response and a blank HTML document from the default Apigee virtual host associated with that IP address. To avoid the incorrect impression that such a response might represent a potential vulnerability that could be exploited, the connection is dropped and no response is returned. (140005396)

Target server properties in Trace to help with troubleshooting

The following new trace properties help troubleshoot target connection issues by showing whether the HTTPClient for the target server has been cached: isHttpClientCached and isFromClientPool. (140574604)

MessageLogging policy: Syslog message

In the MessageLogging policy, a new <Syslog> / <PayloadOnly> element (boolean) lets you determine whether anything is automatically prepended to the <Message> you define. If you set <PayloadOnly> to true, nothing is prepended to your message definition (regardless of the <FormatMessage> setting). If set to false (the default), the <FormatMessage> setting determines what is prepended to the log message. (68722102)

Cache policies expiration

A new <TimeoutInSeconds> expiry element on the ResponseCache policy and PopulateCache policy behaves the way the existing <TimeoutInSecs> element was originally intended to work. Please use the new element. The deprecated <TimeoutInSecs> element still exists for backwards compatibility. If both the <TimeoutInSecs> and <TimeoutInSeconds> elements are configured, Edge uses <TimeoutInSeconds>. (119172893)

virtualhost.aliases.values flow variable

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

Bugs fixed

The following bugs are fixed in this release. This list is primarily for users checking to see if their support tickets have been fixed. It's not designed to provide detailed information for all users.

Issue ID Component Name Description
150655357 API Runtime

If the API proxy has a load balancer target, and all targets are down, the correct response status of 504 (indicating a timeout on the target) is now returned. Before release 200203, an incorrect response, NoActiveTargets, was returned.

65852874 API Runtime

Make sure that HTTPClient does not try to reuse a connection that had a Connection:close response header

67170148 API Runtime

Elapsed Time and timeTaken differences in ServiceCallouts

109871907 API Runtime

ServiceCallout execution delays with no Response element

111553402 API Runtime

An API product with invalid characters in the path not caught until runtime

112488235 Management Server

Can create virtual hosts with a space in the name

116834109 API Runtime

Incorrect values for the variables failed, fault.cause, and fault.name in Trace

119854424 API Runtime

LoadBalancer with single target server shouldn't become inactive on connection failure

124049692 API Runtime

NullPointerException in VerifyApiKey policy

126240341 API Runtime

Improve generic "Generation Failed" message on GenerateJWT policy failure

128450374 API Runtime

JWT/JWS policies ought to respect IgnoreUnresolvedVariables - throw appropriate fault if variable is not defined

129275412 API Runtime

Add HTTP headers to the fallback virtual host for generic IP scans

129351507 API Runtime

BasicAuthentication policy fails to decode when the password contains a colon

131763486 API Runtime

The base path of a shared flow should be ignored in the message processor

132443137 API Runtime

Change message processor behavior to handle unknown internal x-apigee headers

132777537 API Runtime

ExtractVariables policy failing for valid JSONPath

133253435 API Runtime

High CPU usage by Apigee-Main thread

133713555 API Runtime

Edge router altering date header

135031506 API Runtime

Add log message for unexpected JWT key format

135354517 API Runtime

Org fails in Release_190301 due to strict enforcement of 'String' datatype in BasicAuth

135856488 Management Server

UI slowness

135972575 API Runtime

Private Cloud 4.19.01 is showing different behavior during deployment with override=true&delay=300

This fix will be included in a future Edge for Private Cloud release.

137312366 API Runtime

Content validation by Content-Type header

138310777 API Runtime

Shared flow deployment call randomly returns 504

138951646 API Runtime

Time limit does not work in JavaScript

139051927 API Runtime

High request processing latency

139407965 Management Server

KVM created with no name

141601836 API Runtime

Fix host name in log message

144286363 API Runtime > Hybrid > Trace

Debug mask in env.json does not mask response data in Apigee hybrid

147769812 API Runtime

Declare OAuth hash properties as mutable in feature-flags

149037704 API Runtime

The proxy.url in Trace output can potentially display the incorrect virtual host.