20.04.06 - Apigee Edge for Public Cloud release notes

On the following dates, we began releasing component updates to Apigee Edge for Public Cloud:

  • Message Processor: Friday, May 1, 2020
  • API Management: Monday, April 20, 2020
  • Monetization Management: Monday, April 20, 2020

New features and updates

Following are the new features and updates in this release.

JWT policies

  • JWT encryption

    The JWT policies let you generate, verify, and decode encrypted tokens. New elements on policies include:

    • <Type> - Lets you set whether the tokens are signed or encrypted.
    • <EncryptionAlgorithms> - Lets you set <Key> and <Content> encryption algorithms.

    (67165581)

  • Support for PSS algorithms in signed tokens

    The policies for generating and verifying JWT and JWS now support PS256, PS384, and PS512 algorithms, as described in IETF RFC 7518. (119856499)

  • GenerateJWT relative start time for token

    When generating a JWT with the GenerateJWT policy, the <NotBefore> element lets you specify a relative time between when a token is generated and it becomes valid. For example, a <NotBefore> value of 2h means a token isn't valid until 2 hours after it's generated. You can set <NotBefore> time in milliseconds (ms), seconds (s), minutes (m), hours (h), days (d), or weeks (w). (126261970)

  • Reference PublicKey/Certificate in VerifyJWT

    In the VerifyJWT policy, a <PublicKey> / <Certificate> element lets you reference the PEM-formatted certificate with which to verify incoming JWT signatures. For example:

    <PublicKey>
      <Certificate ref='public.certificate_pem'/>
    </PublicKey>

    (132918033)

HMAC policy

Apigee helps you ensure message integrity with the ability to calculate or verify a keyed message authentication code (HMAC) in an API proxy. An HMAC acts as a digital signature. The message sender can compute the HMAC with a secret key and a cryptographic hash function and send it to the target. If the target has the same secret key as the sender, it can use the same key and hash function to compute the HMAC for verification. A new HMAC policy lets you provide the secret key (through a variable) and cryptographic hash function like SHA-1, SHA-2 (224, 256, 384, 512) or MD-5 to produce an HMAC on a message or verify an HMAC received by the sender.

Following is a sample HMAC policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<HMAC name="HMAC-1">
    <Algorithm>SHA-256</Algorithm>
    <Message>abc</Message>
    <SecretKey ref="private.secretkey"/>
    <Output>hmac_value</Output>
    <!-- For HMAC verification, with an optional encoding attribute -->
    <VerificationValue encoding='hex|base16|base64' ref='expected_hmac_value'/>
</HMAC>

This release also includes an HMAC function to let you calculate an HMAC in a policy that supports message templates. (116157456)

Message template functions

Following are new message template functions available with this release:

  • firstnonull - Returns the value of the first (left-most) non-null argument. (139698514)
  • xpath - Lets you apply an XML Path (XPath) expression to parse XML variables. (123246424)
  • hmac - Lets you compute an HMAC on a message using the following format:

    hmac('cryptographic_hash',secretKey,valueToSign)

    For example:

    <AssignVariable>
        <Name>hmac_function</Name>
        <Template>{hmac('sha256',private.secretkey,valueToSign)}</Template>
    </AssignVariable>

    See the HMAC policy for more information about Apigee's HMAC functionality. (116157456)

AssignMessage policy: AssignVariable lets you reference a message template

In the AssignMessage policy, the <AssignVariable> / <Template> element allows a ref attribute, letting you inject a predefined template at runtime that can change without having to modify the policy. (118396082)

Multiple certificate aliases

When configuring TLS and using multiple certificates in a keystore, each with a different alias, Edge lets you reference specific certificate aliases in your <SSLInfo><KeyAlias> configuration. To enable this updated behavior, set a new HTTPClient.choose.alias.by.keyalias property to true in the http.properties file on message processors. Edge for Public Cloud users must contact Support to add this property. (142141620)

JSONtoXML policy: Omit the XML declaration, indent output

Two new boolean options in the JSONtoXML policy give you more control over the XML output.

  • <Options> <OmitXmlDeclaration> - When set to true (the default is false), the <OmitXmlDeclaration> element omits the default <?xml version="1.0" encoding="UTF-8"?> XML declaration generated by the policy.
  • <Options> <Indent> - When set to true (the default is false), the <Indent> element indents the XML output. For example, instead of this output:

    <Array><n>1</n><n>2</n><n>3</n></Array>

    The Indent element produces this:

    <Array>
     <n>1</n>
     <n>2</n>
     <n>3</n>
    </Array>

(65142394)

Responses for virtual host scanning

If a request was made to an Apigee endpoint's IP address (no virtual host specified), Edge returned an HTTP 200 response and a blank HTML document from the default Apigee virtual host associated with that IP address. To avoid the incorrect impression that such a response might represent a potential vulnerability that could be exploited, the connection is dropped and no response is returned. (140005396)

Target server properties in Trace to help with troubleshooting

The following new trace properties help troubleshoot target connection issues by showing whether the HTTPClient for the target server has been cached: isHttpClientCached and isFromClientPool. (140574604)

MessageLogging policy: Syslog message

In the MessageLogging policy, a new <Syslog> / <PayloadOnly> element (boolean) lets you determine whether anything is automatically prepended to the <Message> you define. If you set <PayloadOnly> to true, nothing is prepended to your message definition (regardless of the <FormatMessage> setting). If set to false (the default), the <FormatMessage> setting determines what is prepended to the log message. (68722102)

Cache policies expiration

A new <TimeoutInSeconds> expiry element on the ResponseCache policy and PopulateCache policy behaves the way the existing <TimeoutInSecs> element was originally intended to work. Please use the new element. The deprecated <TimeoutInSecs> element still exists for backwards compatibility. If both the <TimeoutInSecs> and <TimeoutInSeconds> elements are configured, Edge uses <TimeoutInSeconds>. (119172893)

virtualhost.aliases.values flow variable

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

New parameter to ensure proxy revision deletion

A new force query parameter has been added to the delete API proxy revision. In cases where the revision is listed in the List API Proxies API but can not actually be queried, this parameter ensures that the proxy revision is deleted. (111691721)

For example:

DELETE /v1/organizations/myorg/apis/myproxy/revisions/2?force=true

New flow variable for virtualhost alias values

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

Bugs fixed

The following bugs are fixed in this release. This list is primarily for users checking to see if their support tickets have been fixed. It's not designed to provide detailed information for all users.

Issue ID Component Name Description
149507805 API Management

Enable Deployment/Configuration via HTTP for all production MGMT servers

Configuration updates happen over HTTP instead of RPC, improving reliability and the logging of errors.

137217974 API Management

When configuring MPs over HTTP, propagate the error properly when a target server is still in use

As a result of reliability improvements introduced in issue 149507805, response errors from target server deletion were incorrectly reported as status 200 (success) when the deletion failed. With this fix, response errors are now correctly reported as Status 400 if the deletion fails. Note that target server deletion can fail if the target server is referenced by a currently deployed proxy. Before deleting a target server, check to make sure the target server is not referenced by any API proxies that are currently deployed.

69765558 API Management

Resource Permissions API returns 403

149545506 API Management

Fixes a security issue in the API for adding a user to a role.

131246911 API Management For developer emails in a portal, enable support for newer domains such as *.games, *.asia

An issue was fixed where some domain names, such as *.games, *.asia, and *.africa caused developer creation on Edge to fail because the domain validator did not recognize them. Edge now only validates that an email address format is valid (contains an '@' symbol).

142217645 API Management

PUT v1/o/{org_name}/apiproducts/{product_name} doesn't remove quotas

135856488 Management Server

UI slowness

139407965 Management Server

An issue was fixed that allowed a KVM to be created without a name.

112488235 Management Server

Validation was added to prevent virtual hosts from being created with spaces in the name. Space characters are not valid for use in virtual host names.

132433193 Monetization Management

An issue with application update was fixed.

152514520 Monetization Management

An issue with management API calls to delete entities was fixed.

128450374 API Runtime

JWT/JWS policies ought to respect IgnoreUnresolvedVariables - throw appropriate fault if variable is not defined

135354517 API Runtime

Org fails in Release_190301 due to strict enforcement of 'String' datatype in BasicAuth

131763486 API Runtime

The base path of a shared flow should be ignored in the message processor

135972575 API Runtime

Private Cloud 4.19.01 is showing different behavior during deployment with override=true&delay=300

This fix will be included in a future Edge for Private Cloud release.

141601836 API Runtime

Fix hostname in log message

116834109 API Runtime

Incorrect values for the variables failed, fault.cause, and fault.name in Trace

130653816 API Runtime

Intermittent 404s to runtime traffic

132777537 API Runtime

ExtractVariables policy failing for valid JSONPath

133713555 API Runtime

Edge router altering date header

133253435 API Runtime

High CPU usage by Apigee-Main thread

111553402 API Runtime

An API product with invalid characters in the path not caught until runtime

126240341 API Runtime

Improve generic "Generation Failed" message on GenerateJWT policy failure

119854424 API Runtime

LoadBalancer with single target server shouldn't become inactive on connection failure

129275412 API Runtime

Add HTTP headers to the fallback virtual host for generic IP scans

129351507 API Runtime

BasicAuthentication policy fails to decode when the password contains a colon

65852874 API Runtime

Make sure that HTTPClient does not try to reuse a connection that had a Connection:close response header

138951646 API Runtime

Time limit does not work in JavaScript for httpClient

139051927 API Runtime

High request processing latency

132443137 API Runtime

Change message processor behavior to handle unknown internal x-apigee headers

138310777 API Runtime

Shared flow deployment call randomly returns 504

67170148 API Runtime

Elapsed Time and timeTaken differences in ServiceCallouts

124049692 API Runtime

NullPointerException in VerifyApiKey policy

135031506 API Runtime

Add log message for unexpected JWT key format

137312366 API Runtime

Content validation by Content-Type header

109871907 API Runtime

ServiceCallout execution delays with no Response element

143722867 API Runtime

JWT must enforce a configurable limit on the number of iterations for PBKDF2

144286363 Hybrid Trace

Debug mask in env.json does not mask response data in Apigee hybrid

147769812 API Runtime

Declare OAuth hash properties as mutable in feature-flags

149037704 Hybrid Trace

I see someone else's account in the Trace proxy.url for my own gettingstarted proxy

The proxy.url in Trace output can potentially display the incorrect virtual host.

148972262 API Runtime

DecodeJWS emits the payload to a context variable in a useless form

116580622 API Runtime

Inconsistent response

149739904 API Runtime

Data masking for HTTP headers should be case insensitive

149431545 API Runtime

GenerateJWT and VerifyJWT with SecretKey does not accept any encoding except for UTF-8