20.04.06 - Apigee Edge for Public Cloud release notes

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

On the following dates, we began releasing component updates to Apigee Edge for Public Cloud:

Message Processor: Friday, May 1, 2020
API Management: Monday, April 20, 2020
Monetization Management: Monday, April 20, 2020
API Management Patch Release: Monday, June 22, 2020
Monetization Management Patch Release: Monday, July 6, 2020
Management Server Security Update: Monday, August 24, 2020
Message Processor Patch Release with bug fixes: Thursday, September 24, 2020
Message Processor Patch Release with bug fixes: Monday, October 26, 2020
Message Processor Patch Release with bug fixes: Monday, February 1, 2021

Help & notifications

Private Cloud customers: Is this cloud release included in your Private Cloud version? See your version's release notes to see which cloud releases it contains. Also, see About release numbering to understand how you can figure it out by comparing release numbers.

Questions or issues? Get help here.

Release notifications: Go to http://status.apigee.com and click Subscribe to Updates.

Release notes home page

New features and updates

Following are the new features and updates in this release.

JWT policies

JWT encryption

The JWT policies let you generate, verify, and decode encrypted tokens. New elements on policies include:
- <Type> - Lets you set whether the tokens are signed or encrypted.
- <EncryptionAlgorithms> - Lets you set <Key> and <Content> encryption algorithms.
(67165581)
Support for PSS algorithms in signed tokens

The policies for generating and verifying JWT and JWS now support PS256, PS384, and PS512 algorithms, as described in IETF RFC 7518. (119856499)
GenerateJWT relative start time for token

When generating a JWT with the GenerateJWT policy, the <NotBefore> element lets you specify a relative time between when a token is generated and it becomes valid. For example, a <NotBefore> value of 2h means a token isn't valid until 2 hours after it's generated. You can set <NotBefore> time in milliseconds (ms), seconds (s), minutes (m), hours (h), days (d), or weeks (w). (126261970)
Reference PublicKey/Certificate in VerifyJWT

In the VerifyJWT policy, a <PublicKey> / <Certificate> element lets you reference the PEM-formatted certificate with which to verify incoming JWT signatures. For example:
```
<PublicKey>
  <Certificate ref='public.certificate_pem'/>
</PublicKey>
```
(132918033)

Message template functions

Following are new message template functions available with this release:

firstnonull - Returns the value of the first (left-most) non-null argument. (139698514)
xpath - Lets you apply an XML Path (XPath) expression to parse XML variables. (123246424)

AssignMessage policy: AssignVariable lets you reference a message template

In the AssignMessage policy, the <AssignVariable> / <Template> element allows a ref attribute, letting you inject a predefined template at runtime that can change without having to modify the policy. (118396082)

Multiple certificate aliases

When configuring TLS and using multiple certificates in a keystore, each with a different alias, Edge lets you reference specific certificate aliases in your <SSLInfo><KeyAlias> configuration. To enable this updated behavior, set a new HTTPClient.choose.alias.by.keyalias property to true in the http.properties file on message processors. Edge for Public Cloud users must contact Support to add this property. (142141620)

JSONtoXML policy: Omit the XML declaration, indent output

Two new boolean options in the JSONtoXML policy give you more control over the XML output.

<Options> <OmitXmlDeclaration> - When set to true (the default is false), the <OmitXmlDeclaration> element omits the default <?xml version="1.0" encoding="UTF-8"?> XML declaration generated by the policy.
<Options> <Indent> - When set to true (the default is false), the <Indent> element indents the XML output. For example, instead of this output:
```
<Array><n>1</n><n>2</n><n>3</n></Array>
```
The Indent element produces this:
```
<Array>
 <n>1</n>
 <n>2</n>
 <n>3</n>
</Array>
```

(65142394)

Responses for virtual host scanning

If a request was made to an Apigee endpoint's IP address (no virtual host specified), Edge returned an HTTP 200 response and a blank HTML document from the default Apigee virtual host associated with that IP address. To avoid the incorrect impression that such a response might represent a potential vulnerability that could be exploited, the connection is dropped and no response is returned. (140005396)

Target server properties in Trace to help with troubleshooting

The following new trace properties help troubleshoot target connection issues by showing whether the HTTPClient for the target server has been cached: isHttpClientCached and isFromClientPool. (140574604)

MessageLogging policy: Syslog message

In the MessageLogging policy, a new <Syslog> / <PayloadOnly> element (boolean) lets you determine whether anything is automatically prepended to the <Message> you define. If you set <PayloadOnly> to true, nothing is prepended to your message definition (regardless of the <FormatMessage> setting). If set to false (the default), the <FormatMessage> setting determines what is prepended to the log message. (68722102)

Cache policies expiration

A new <TimeoutInSeconds> expiry element on the ResponseCache policy and PopulateCache policy behaves the way the existing <TimeoutInSecs> element was originally intended to work. Please use the new element. The deprecated <TimeoutInSecs> element still exists for backwards compatibility. If both the <TimeoutInSecs> and <TimeoutInSeconds> elements are configured, Edge uses <TimeoutInSeconds>. (119172893)

virtualhost.aliases.values flow variable

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

New parameter to ensure proxy revision deletion

A new force query parameter has been added to the delete API proxy revision. In cases where the revision is listed in the List API Proxies API but can not actually be queried, this parameter ensures that the proxy revision is deleted. (111691721)

For example:

DELETE /v1/organizations/myorg/apis/myproxy/revisions/2?force=true

New flow variable for virtualhost alias values

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

Bugs fixed

The following bugs are fixed in this release. This list is primarily for users checking to see if their support tickets have been fixed. It's not designed to provide detailed information for all users.

Issue ID	Component Name	Description
143313772	Message Processor	An issue was fixed in the SpikeArrest policy that occurred when `UseEffectiveCount` is enabled and a rolling restart happens. (In 2/1/21 patch release.)
154428338	API Runtime	Message Processor fails to load environments when keystores are configured with similar names or aliases. We have fixed a regex lookup conflict when loading keystores that have similar naming convention. This was causing the Message Processor to fail to load environments associated to the keystore, or fail to start when multiple conflicting keystores were returned during the lookup.
149507805	API Management	Enable Deployment/Configuration via HTTP for all production MGMT servers Configuration updates happen over HTTP instead of RPC, improving reliability and the logging of errors.
137217974	API Management	When configuring MPs over HTTP, propagate the error properly when a target server is still in use As a result of reliability improvements introduced in issue 149507805, response errors from target server deletion were incorrectly reported as status 200 (success) when the deletion failed. With this fix, response errors are now correctly reported as Status 400 if the deletion fails. Note that target server deletion can fail if the target server is referenced by a currently deployed proxy. Before deleting a target server, check to make sure the target server is not referenced by any API proxies that are currently deployed.
69765558	API Management	Resource Permissions API returns 403
149545506	API Management	Fixes a security issue in the API for adding a user to a role.
131246911	API Management	*For developer emails in a portal, enable support for newer domains such as .games, .asia* An issue was fixed where some domain names, such as `.games`, `.asia`, and `*.africa` caused developer creation on Edge to fail because the domain validator did not recognize them. Edge now only validates that an email address format is valid (contains an '@' symbol).
142217645	API Management	PUT v1/o/{org_name}/apiproducts/{product_name} doesn't remove quotas
162299668	Management Server	A potential security vulnerability was fixed.
135856488	Management Server	UI slowness
139407965	Management Server	An issue was fixed that allowed a KVM to be created without a name.
112488235	Management Server	Validation was added to prevent virtual hosts from being created with spaces in the name. Space characters are not valid for use in virtual host names.
132433193	Monetization Management	An issue with application update was fixed.
152514520	Monetization Management	An issue with management API calls to delete entities was fixed.
128450374	API Runtime	JWT/JWS policies ought to respect IgnoreUnresolvedVariables - throw appropriate fault if variable is not defined
135354517	API Runtime	Org fails in Release_190301 due to strict enforcement of 'String' datatype in BasicAuth
131763486	API Runtime	The base path of a shared flow should be ignored in the message processor
135972575	API Runtime	Private Cloud 4.19.01 is showing different behavior during deployment with override=true&delay=300 This fix will be included in a future Edge for Private Cloud release.
141601836	API Runtime	Fix hostname in log message
116834109	API Runtime	Incorrect values for the variables failed, fault.cause, and fault.name in Trace
130653816	API Runtime	Intermittent 404s to runtime traffic
132777537	API Runtime	ExtractVariables policy failing for valid JSONPath
133713555	API Runtime	Edge router altering date header
133253435	API Runtime	High CPU usage by Apigee-Main thread
111553402	API Runtime	An API product with invalid characters in the path not caught until runtime
126240341	API Runtime	Improve generic "Generation Failed" message on GenerateJWT policy failure
119854424	API Runtime	LoadBalancer with single target server shouldn't become inactive on connection failure
129275412	API Runtime	Add HTTP headers to the fallback virtual host for generic IP scans
129351507	API Runtime	BasicAuthentication policy fails to decode when the password contains a colon
65852874	API Runtime	Make sure that HTTPClient does not try to reuse a connection that had a Connection:close response header
138951646	API Runtime	Time limit does not work in JavaScript for `httpClient`
139051927	API Runtime	High request processing latency
132443137	API Runtime	Change message processor behavior to handle unknown internal x-apigee headers
138310777	API Runtime	Shared flow deployment call randomly returns 504
67170148	API Runtime	Elapsed Time and timeTaken differences in ServiceCallouts
124049692	API Runtime	NullPointerException in VerifyApiKey policy
135031506	API Runtime	Add log message for unexpected JWT key format
137312366	API Runtime	Content validation by Content-Type header
109871907	API Runtime	ServiceCallout execution delays with no Response element
143722867	API Runtime	JWT must enforce a configurable limit on the number of iterations for PBKDF2
144286363	Hybrid Trace	Debug mask in env.json does not mask response data in Apigee hybrid
147769812	API Runtime	Declare OAuth hash properties as mutable in feature-flags
149037704	API Runtime	An issue was fixed where the value to assigned to `proxy.url` flow variable could possibly return incorrect host alias.
148972262	API Runtime	DecodeJWS emits the payload to a context variable in a useless form
116580622	API Runtime	Inconsistent response
149739904	API Runtime	Data masking for HTTP headers should be case insensitive
149431545	API Runtime	GenerateJWT and VerifyJWT with SecretKey does not accept any encoding except for UTF-8
155448596	API Management-Patch	Missing permissions on default apimonitoringadmin role Missing permissions were added to the apimonitoringadmin role.
158592076	API Management-Patch	Missing permissions on default devadmin role Missing permissions were added to the devadmin role.
152856311	API Management-Patch	Validations to reject PKCS7 and DER certs in keystore and truststore during virtual host creation and update During virtual host creation or update, validations are enforced to check if the certs added in the keystore alias and truststore are in PEM format and not in incompatible formats like PKCS7, DER, and so on.
155478545	Monetization Management-Patch	An issue with email notifications status updates was fixed.
154121499	Monetization Management-Patch	An issue where the `/mint/org/orgname/delete-org-data` API threw a 404 status error was fixed.
152356393	Monetization Management-Patch	The company name length validation was relaxed for monetization company creation.
138542921	Monetization Management-Patch	An issue was fixed where creating a rate plan failed with multiple custom attributes in the product bundle.
150948843	Monetization Management-Patch	An issue was fixed where the Monetization `/sync-developers` API threw persistence conflicts.
155443118	Monetization Management-Patch	The `jsonMailProperties` field was removed.
150948843	Monetization Management-Patch	An issue was fixed where the Monetization `/sync-developers` API threw persistence conflicts.