20.04.06 - Apigee Edge for Public Cloud release notes

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.

On the following dates, we began releasing component updates to Apigee Edge for Public Cloud:

  • Message Processor: Friday, May 1, 2020
  • API Management: Monday, April 20, 2020
  • Monetization Management: Monday, April 20, 2020
  • API Management Patch Release: Monday, June 22, 2020
  • Monetization Management Patch Release: Monday, July 6, 2020
  • Management Server Security Update: Monday, August 24, 2020
  • Message Processor Patch Release with bug fixes: Thursday, September 24, 2020
  • Message Processor Patch Release with bug fixes: Monday, October 26, 2020
  • Message Processor Patch Release with bug fixes: Monday, February 1, 2021

New features and updates

Following are the new features and updates in this release.

JWT policies

  • JWT encryption

    The JWT policies let you generate, verify, and decode encrypted tokens. New elements on policies include:

    • <Type> - Lets you set whether the tokens are signed or encrypted.
    • <EncryptionAlgorithms> - Lets you set <Key> and <Content> encryption algorithms.


  • Support for PSS algorithms in signed tokens

    The policies for generating and verifying JWT and JWS now support PS256, PS384, and PS512 algorithms, as described in IETF RFC 7518. (119856499)

  • GenerateJWT relative start time for token

    When generating a JWT with the GenerateJWT policy, the <NotBefore> element lets you specify a relative time between when a token is generated and it becomes valid. For example, a <NotBefore> value of 2h means a token isn't valid until 2 hours after it's generated. You can set <NotBefore> time in milliseconds (ms), seconds (s), minutes (m), hours (h), days (d), or weeks (w). (126261970)

  • Reference PublicKey/Certificate in VerifyJWT

    In the VerifyJWT policy, a <PublicKey> / <Certificate> element lets you reference the PEM-formatted certificate with which to verify incoming JWT signatures. For example:

      <Certificate ref='public.certificate_pem'/>


Message template functions

Following are new message template functions available with this release:

  • firstnonull - Returns the value of the first (left-most) non-null argument. (139698514)
  • xpath - Lets you apply an XML Path (XPath) expression to parse XML variables. (123246424)

AssignMessage policy: AssignVariable lets you reference a message template

In the AssignMessage policy, the <AssignVariable> / <Template> element allows a ref attribute, letting you inject a predefined template at runtime that can change without having to modify the policy. (118396082)

Multiple certificate aliases

When configuring TLS and using multiple certificates in a keystore, each with a different alias, Edge lets you reference specific certificate aliases in your <SSLInfo><KeyAlias> configuration. To enable this updated behavior, set a new HTTPClient.choose.alias.by.keyalias property to true in the http.properties file on message processors. Edge for Public Cloud users must contact Support to add this property. (142141620)

JSONtoXML policy: Omit the XML declaration, indent output

Two new boolean options in the JSONtoXML policy give you more control over the XML output.

  • <Options> <OmitXmlDeclaration> - When set to true (the default is false), the <OmitXmlDeclaration> element omits the default <?xml version="1.0" encoding="UTF-8"?> XML declaration generated by the policy.
  • <Options> <Indent> - When set to true (the default is false), the <Indent> element indents the XML output. For example, instead of this output:


    The Indent element produces this:



Responses for virtual host scanning

If a request was made to an Apigee endpoint's IP address (no virtual host specified), Edge returned an HTTP 200 response and a blank HTML document from the default Apigee virtual host associated with that IP address. To avoid the incorrect impression that such a response might represent a potential vulnerability that could be exploited, the connection is dropped and no response is returned. (140005396)

Target server properties in Trace to help with troubleshooting

The following new trace properties help troubleshoot target connection issues by showing whether the HTTPClient for the target server has been cached: isHttpClientCached and isFromClientPool. (140574604)

MessageLogging policy: Syslog message

In the MessageLogging policy, a new <Syslog> / <PayloadOnly> element (boolean) lets you determine whether anything is automatically prepended to the <Message> you define. If you set <PayloadOnly> to true, nothing is prepended to your message definition (regardless of the <FormatMessage> setting). If set to false (the default), the <FormatMessage> setting determines what is prepended to the log message. (68722102)

Cache policies expiration

A new <TimeoutInSeconds> expiry element on the ResponseCache policy and PopulateCache policy behaves the way the existing <TimeoutInSecs> element was originally intended to work. Please use the new element. The deprecated <TimeoutInSecs> element still exists for backwards compatibility. If both the <TimeoutInSecs> and <TimeoutInSeconds> elements are configured, Edge uses <TimeoutInSeconds>. (119172893)

virtualhost.aliases.values flow variable

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

New parameter to ensure proxy revision deletion

A new force query parameter has been added to the delete API proxy revision. In cases where the revision is listed in the List API Proxies API but can not actually be queried, this parameter ensures that the proxy revision is deleted. (111691721)

For example:

DELETE /v1/organizations/myorg/apis/myproxy/revisions/2?force=true

New flow variable for virtualhost alias values

A new read-only virtualhost.aliases.values message flow variable returns a JSON-formatted array of all aliases assigned to the virtual host that was called on the inbound request. (128453178)

Bugs fixed

The following bugs are fixed in this release. This list is primarily for users checking to see if their support tickets have been fixed. It's not designed to provide detailed information for all users.

Issue ID Component Name Description
143313772 Message Processor

An issue was fixed in the SpikeArrest policy that occurred when UseEffectiveCount is enabled and a rolling restart happens.

(In 2/1/21 patch release.)

154428338 API Runtime

Message Processor fails to load environments when keystores are configured with similar names or aliases.

We have fixed a regex lookup conflict when loading keystores that have similar naming convention. This was causing the Message Processor to fail to load environments associated to the keystore, or fail to start when multiple conflicting keystores were returned during the lookup.

149507805 API Management

Enable Deployment/Configuration via HTTP for all production MGMT servers

Configuration updates happen over HTTP instead of RPC, improving reliability and the logging of errors.

137217974 API Management

When configuring MPs over HTTP, propagate the error properly when a target server is still in use

As a result of reliability improvements introduced in issue 149507805, response errors from target server deletion were incorrectly reported as status 200 (success) when the deletion failed. With this fix, response errors are now correctly reported as Status 400 if the deletion fails. Note that target server deletion can fail if the target server is referenced by a currently deployed proxy. Before deleting a target server, check to make sure the target server is not referenced by any API proxies that are currently deployed.

69765558 API Management

Resource Permissions API returns 403

149545506 API Management

Fixes a security issue in the API for adding a user to a role.

131246911 API Management For developer emails in a portal, enable support for newer domains such as *.games, *.asia

An issue was fixed where some domain names, such as *.games, *.asia, and *.africa caused developer creation on Edge to fail because the domain validator did not recognize them. Edge now only validates that an email address format is valid (contains an '@' symbol).

142217645 API Management

PUT v1/o/{org_name}/apiproducts/{product_name} doesn't remove quotas

162299668 Management Server

A potential security vulnerability was fixed.

135856488 Management Server

UI slowness

139407965 Management Server

An issue was fixed that allowed a KVM to be created without a name.

112488235 Management Server

Validation was added to prevent virtual hosts from being created with spaces in the name. Space characters are not valid for use in virtual host names.

132433193 Monetization Management

An issue with application update was fixed.

152514520 Monetization Management

An issue with management API calls to delete entities was fixed.

128450374 API Runtime

JWT/JWS policies ought to respect IgnoreUnresolvedVariables - throw appropriate fault if variable is not defined

135354517 API Runtime

Org fails in Release_190301 due to strict enforcement of 'String' datatype in BasicAuth

131763486 API Runtime

The base path of a shared flow should be ignored in the message processor

135972575 API Runtime

Private Cloud 4.19.01 is showing different behavior during deployment with override=true&delay=300

This fix will be included in a future Edge for Private Cloud release.

141601836 API Runtime

Fix hostname in log message

116834109 API Runtime

Incorrect values for the variables failed, fault.cause, and fault.name in Trace

130653816 API Runtime

Intermittent 404s to runtime traffic

132777537 API Runtime

ExtractVariables policy failing for valid JSONPath

133713555 API Runtime

Edge router altering date header

133253435 API Runtime

High CPU usage by Apigee-Main thread

111553402 API Runtime

An API product with invalid characters in the path not caught until runtime

126240341 API Runtime

Improve generic "Generation Failed" message on GenerateJWT policy failure

119854424 API Runtime

LoadBalancer with single target server shouldn't become inactive on connection failure

129275412 API Runtime

Add HTTP headers to the fallback virtual host for generic IP scans

129351507 API Runtime

BasicAuthentication policy fails to decode when the password contains a colon

65852874 API Runtime

Make sure that HTTPClient does not try to reuse a connection that had a Connection:close response header

138951646 API Runtime

Time limit does not work in JavaScript for httpClient

139051927 API Runtime

High request processing latency

132443137 API Runtime

Change message processor behavior to handle unknown internal x-apigee headers

138310777 API Runtime

Shared flow deployment call randomly returns 504

67170148 API Runtime

Elapsed Time and timeTaken differences in ServiceCallouts

124049692 API Runtime

NullPointerException in VerifyApiKey policy

135031506 API Runtime

Add log message for unexpected JWT key format

137312366 API Runtime

Content validation by Content-Type header

109871907 API Runtime

ServiceCallout execution delays with no Response element

143722867 API Runtime

JWT must enforce a configurable limit on the number of iterations for PBKDF2

144286363 Hybrid Trace

Debug mask in env.json does not mask response data in Apigee hybrid

147769812 API Runtime

Declare OAuth hash properties as mutable in feature-flags

149037704 API Runtime

An issue was fixed where the value to assigned to proxy.url flow variable could possibly return incorrect host alias.

148972262 API Runtime

DecodeJWS emits the payload to a context variable in a useless form

116580622 API Runtime

Inconsistent response

149739904 API Runtime

Data masking for HTTP headers should be case insensitive

149431545 API Runtime

GenerateJWT and VerifyJWT with SecretKey does not accept any encoding except for UTF-8

155448596 API Management-Patch

Missing permissions on default apimonitoringadmin role

Missing permissions were added to the apimonitoringadmin role.

158592076 API Management-Patch

Missing permissions on default devadmin role

Missing permissions were added to the devadmin role.

152856311 API Management-Patch

Validations to reject PKCS7 and DER certs in keystore and truststore during virtual host creation and update

During virtual host creation or update, validations are enforced to check if the certs added in the keystore alias and truststore are in PEM format and not in incompatible formats like PKCS7, DER, and so on.

155478545 Monetization Management-Patch

An issue with email notifications status updates was fixed.

154121499 Monetization Management-Patch

An issue where the /mint/org/orgname/delete-org-data API threw a 404 status error was fixed.

152356393 Monetization Management-Patch

The company name length validation was relaxed for monetization company creation.

138542921 Monetization Management-Patch

An issue was fixed where creating a rate plan failed with multiple custom attributes in the product bundle.

150948843 Monetization Management-Patch

An issue was fixed where the Monetization /sync-developers API threw persistence conflicts.

155443118 Monetization Management-Patch

The jsonMailProperties field was removed.

150948843 Monetization Management-Patch

An issue was fixed where the Monetization /sync-developers API threw persistence conflicts.