4.18.01 - Edge for Private Cloud release notes

Since the previous Edge for Private Cloud Feature Release, the following releases have occurred and are included in this Feature Release:

Edge UI release Edge management release Portal release

See About release numbering to understand how you can figure out whether a specific cloud release is included in your version of Edge for Private Cloud.

Release overview

The most important new features in this release include:

  • Upgrade to PostgreSQL 9.6
  • Beta Release of the New Edge Experience for Private Cloud
  • Beta release of three new policies that let you generate, verify, and decode JSON Web Tokens (JWT).

This release also includes all of the bug fixes and new features included in the Edge Public Cloud releases listed below.

Deprecations and retirements

The following features were deprecated or retired in this release. See the Edge deprecation policy for more information.

Deprecations

Deprecation of new installs of API BaaS

New customers as of January 31, 2018 are not eligible for API BaaS unless your specifications sheet highlights API BaaS entitlement.

Deprecation of Apigee secure store (vaults)

The Apigee secure store, also known as "vaults," is being deprecated and will be retired in September of 2018. Vaults, which provide encrypted storage of key/value pairs, are created with the management API and accessed at runtime with functions in the apigee-access Node.js module.

Instead of using the secure store, use encrypted key value maps (KVMs), as described in Working with key value maps. Encrypted KVMs are just as secure as vaults and provide more options for creation and retrieval. (MGMT-3848)

Deprecation for adding paths on the API proxy Performance tab

Up to this release, you could navigate to an API proxy in the management UI, go to the Performance tab, and create different paths for a chart-based comparison on the proxy's Performance tab and in the Business Transactions dashboard. This feature is now retired and is no longer available in the UI. For an alternative to this functionality, see the following Apigee Community article: https://community.apigee.com/articles/23936/alternative-to-business-transactions-api.html. (EDGEUI-902)

Deprecation of the SMTPSSL property to set the SMTP protocol for the Developer Services portal

You now use the SMTP_PROTOCOL property, instead of the SMTPSSL property, to set the protocol used by the SMTP server connected to the portal. The valid values are: "standard", "ssl", or "tls".

See Developer Services portal installation for more.

New features and updates

Following are the new features and enhancements in this release. In addition to the following enhancements, this release also contains multiple usability, performance, security, and stability enhancements.

Private Cloud

PostgreSQL upgrade to version 9.6

This release includes an upgrade to PostgreSQL 9.6 to allow Edge to take advantage of the Parallel Query feature in PostgreSQL. For more, see:

Beta Release of the New Edge Experience for Private Cloud

This release of Edge for the Private Cloud contains a Beta release of a major update to to the API management user interface. This New Edge experience builds on top of the existing features of the Apigee Edge platform, and adds some enhancements, particularly in the areas of Design and Publishing.

The New Edge experience has previously been available only to Cloud users. With this release of Edge for the Private Cloud, you can now install the Beta version of the New Edge experience.

See Beta Release of the New Edge Experience for Private Cloud for more.

Beta release of the JWT policies

JSON Web Token (JWT) is a token standard described in IETF RFC 7519. JWT provides a way to sign a set of claims, in other words a set of name/value pairs, which can later be verified reliably by the recipient of the JWT.

This release contains three new policies that let you generate, verify, and decode JSON Web Tokens (JWT) on Apigee Edge:

  • Generate JWT policy - Generates a signed JWT, with a configurable set of claims. The JWT can then be returned to clients, transmitted to backend targets, or used in other ways. See Generate JWT policy (Beta version) for more.
  • Verify JWT policy - Verifies the signature on a JWT received from clients or other systems. This policy also extracts the claims into flow variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions. See Verify JWT policy (Beta version) for more.
  • Decode JWT policy - Decodes a JWT without verifying the signature on the JWT. This policy is useful when used in concert with the JWT Verification Policy, when the value of a claim from within the JWT must be known before verifying the signature of the JWT. See Decode JWT policy (Beta version) for more.

See JWT policies overview for an overview.

OCSP stapling supported for virtual hosts (65587547)

Virtual hosts now support OCSP stapling for one-way and two-way TLS. When enabled, an OCSP (Online Certificate Status Protocol) client sends a status request to an OCSP responder to determine if the certificate is valid. The response indicates if the certificate is valid and not revoked.

By default OCSP stapling is off. TLS must be enabled on the virtual host to enable OCSP.

See Virtual host property reference for more.

Router retry options can now be set at the virtual host level

You can now set retry options for the Router's communications with the Message Processor on the virtual host. This gives you more fine-grained control than the previous options, which were only settable at the Router level.

For more information, see Virtual host configuration properties.

External Role Mapping support added (67145030)

If you are using External Authentication to integrate an external directory service into an Apigee Edge Private Cloud installation, you can now use External Role Mapping. External Role Mapping lets you map your own groups or roles to role-based access control (RBAC) roles and groups created on Apigee Edge.

The External Role Mapping service for Edge for Private Cloud releases prior to 4.18.01 has been deprecated. Release 4.18.01 of External Role Mapping is an updated version with bugs fixed and new features added:

  • Fixed the problem where you received authentication 403 forbidden responses when authenticating with users who should have access.
  • X-Apigee-Current-User header is supported now in External Role Mapping. Users with proper access (sysadmin) can login as another user with self credentials.

See External Role Mapping for more.

Can now test system requirements without running an install (67858161)

Edge for the Private Cloud 4.17.09 added support for the ENABLE_SYSTEM_CHECK=y property to check CPU and memory requirements on a machine as part of an install. However, that check required you to perform an actual install. You can now use the "-t" flag to make that check without having to do an install:

/opt/apigee/apigee-setup/bin/setup.sh -p aio -f configFile -t

This command displays any errors with the system requirements to the screen.

See Install Edge components on a node for more.

Updated PHP version for Developer Services portal (68733233)

The portal now uses PHP version 7.0.23.

No longer required to configure an SMTP server with the Developer Services portal (70164403)

You no longer are required to configure an SMTP server when installing the portal. You can now configure one post-installation.

API Services

Name validations on new entities (MGMT-4252 and MGMT-4098)

When you create new entities, Apigee validates the names to enforce naming rules. Entities being validated on creation or update are: API proxies, policies (and policy names in API proxy definitions), virtual hosts, roles, caches, target servers, data masks for debugging, keystores and truststores, and resource files in API proxies. See Naming and input error advisories for naming restrictions on these entities.

Bugs fixed

The following bugs are fixed in this release. This list is primarily for users checking to see if their support tickets have been fixed. It's not designed to provide detailed information for all users.

Private Cloud 4.18.01

Issue ID Description
68001164

PHP LDAP extension is now installed by default with portal

The PHP LDAP extension is now installed by default when installing the portal on RedHat and CentOS. This module makes enabling Drupal LDAP module easier.

68049481

The Drupal settings.php file is now writable

The portal install script now makes sure that the Drupal settings.php file is writable by the "apigee" user so that it can be copied and updated correctly.

68139166 Installer output showed OpenLDAP being downgraded when it was not.
68329105 Portal setup fails to create a user when connecting to Edge when SAML is enabled and uses a self signed cert.
68427561 Portal configuration properties now set correctly after a restart.
69024465 Unable to undeploy SharedFlow in Edge UI
69711616 Updated Jackson Databind to version 2.7.9.1 in the third-party JARs.

17.11.06 (UI)

Issue ID Description
68357182

CSV file does not include the correct data for time frame (includes full set of data)
The CSV file did not include the correct data for the specified time frame. Instead, the full set of data was included in the file. This issue has been fixed.

67650494 Edge UI should track environment changes
In some cases, environment changes were not persisted when moving between pages in the UI. This issue has been fixed.

17.10.25.00 (portal)

Issue ID Component Name Description
67646686 Developer Portal - Drupal & displayed on Forum page
Fixed bug where the default Apigee theme shows "&" for any ampersands in the menu tabs.
65456469 Developer Portal - Drupal Update CAPTCHA module for security enhancements provided by the module contributors
The CAPTCHA module has been updated to CAPTCHA 7.x-1.5 to fix a security vulnerability. For more information, see https://www.drupal.org/node/2907137.
65101827 Developer Portal - Drupal Company app analytics not working
Fixed bug where Monetization Company apps could not show any analytics data.
65003870 Developer Portal - Drupal Not able to cancel future rate plans
Fixed bug where future rate plans purchased by a company could not be cancelled.
65003539 Developer Portal - Drupal Use default country from Drupal locale
The Monetization Contact and Billing Details address now uses the default country from the Locale Default country setting. You can change this setting by selecting Configuration > Regional and language in the Drupal Administration menu. Changing the default locale changes the default country on the Monetization Contact and Billing Details section.

17.10.11 (UI)

Issue ID Description
67005192 UI needs to handle decoded paths when checking for permissions
The UI now handles decoded paths when checking user permissions.

17.09.20 (API management and runtime)

Issue ID Component Name Description
MGMT-4219 API Management MGMT to send org and env header to blobstore
MGMT-4065 API Management Support enabled for PKS format certs
MGMT-3782 API Management Optimal default consistency level value for identity-zone
MGMT-3913 API Management Resolve timeout issue for retrieving OAuth2 tokens by an appId
MGMT-4177 API Management Ability to disable Basic Authentication Scheme in SecurityProfile
MGMT-3978 API Management Need a CWC token to set JVM_OPTIONS on all Java components
MGMT-3918
MGMT-4294
API Management Auto URL-encode special characters in permission paths for custom roles
APIRT-4767 API Runtime JavaScript step should use always use UTF-8 for content
APIRT-4725 API Runtime Fixed OAuth service NPE issue
APIRT-4691 API Runtime Allow time to drain connections before killing unhealthy service
APIRT-4644 API Runtime Basic authorization for BlobstoreService
APIRT-4636 API Runtime Sense Action should continue to function if Zookeeper is down
APIRT-4635 API Runtime Reuse refresh token attribute support enabled for OAuth policies
APIRT-4632 API Runtime Rolling window quota counter not being calculated accurately
APIRT-4584 API Runtime Flow hook not deploying consistently, ZooKeeper check not working
APIRT-4542 API Runtime The MP Sense Task ended without notice
APIRT-4522 API Runtime Analytics doesn't work for monetization-enabled message processors if the org region is different from the axgroup region
APIRT-4444 API Runtime Compute error rates per target per error code
APIRT-4435 API Runtime RepositoryServiceImpl.loadAsString() doesn't use charset
APIRT-4370 API Runtime High memory usage on org MPs
APIRT-4354 API Runtime Capture TLS version in Nginx access_log for every request
APIRT-4169 API Runtime Current version of Nginx doesn't support variable combination required for X-Forwarded-For header
APIRT-3671 API Runtime Tokens are not recorded as hashed after turning on hashing
APIRT-3593 API Runtime OAuth token not holding the set attribute in a subsequent call
APIRT-3081 API Runtime messaging.adaptors.http.flow.ServiceUnavailable error with Concurrent Rate Limit policy
APIRT-4660 API Runtime Add MP pod name in the header to router X-Apigee-Pod
APIRT-4506 API Runtime Cache changes are not getting replicated to a specific message processor
APIRT-4196 API Runtime Message Logging policy syslog timestamp format is not correct
66933664 API Runtime QuotaService for non-CPS flow should clean up buckets asynchronously and not in Apigee-Main thread
66495205 API Runtime Better handling of JavaScript policy with async http calls to prevent NPE
65847462 API Runtime print statement fails with NPE
65648578 API Runtime Only MPs should register in consul KV path
65603360 API Runtime JavaScript calls fail with null error
65416531 Feature Platform Resurrect the message context when JavaScript objects are brought back into JavaScript step context
67405744 Apigee High request processing latency on MPs
65849186 Trireme Unhandled exceptions does not cause Node.js/Trireme process to exit
65713882 Trireme mongodb-core in Trireme produces different crypto results than native Node.js
65374484 Trireme Node security: http.get with numeric authorization options creates uninitialized buffers
64577449 Trireme Trireme returns Invalid verify algorithm sha256 error
EDGESERV‑6 Edge Server Node apps experiencing x_apigee_fault_code: "scripts.node.runtime.ScriptExecutionError"

17.09.20 (UI)

Issue ID Description
65584963 Analytics: Custom reports filter needs to have case-insensitive check for data type
The custom reports filter is now case-insensitive for data type comparisons.
65446846 Unable to assign administrator role for a company in Edge UI
The full set of developers and companies are displayed and can be managed in the Edge UI.
65125644 Cannot remove an API product from a credential for Company App
An issue has been fixed that was preventing an API product from being removed from a credential for a company app.

17.09.11 (API management)

Issue ID Description
64541665 Change source logger configuration on MP to have different log names
APIRT‑3593 OAuth token not holding the set attribute in a subsequent call
APIRT-4336 Split the OAuthStepExecution into multiple step executions. Each of the operation should have a dedicated step execution
APIRT-4444 Compute error rates per target per error code
APIRT-4456 Refactor Verify API Key for EAP-gateway/apid
APIRT-4635 Reuse refresh token attribute support enabled for OAuth policies
APIRT-4683 Add GCP LB IPs as Trusted for XFF Headers
APIRT-4723 OAuth bundle load support for EdgeX/Hybrid mode
APIRT-4725 Fixed OAuth service NPE issue
APIRT-4726 ScriptableHttpClient should not assume a message context is still present at send time
MGMT‑3764 Invalid keystore no longer gets through management
MGMT-3782 Optimal default consistency level value for identity-zone
MGMT-3913 Resolve timeout issue for retrieving OAuth2 tokens by an appId
MGMT-3997 Deleting keystores should not be allowed if there's a reference pointing to it
MGMT-4013 Updating the keystore reference checks for existence of keystore and referenced alias
MGMT-4065 Support enabled for PKS format certs
MGMT-4113 Self service virtual host feature enhancement
MGMT-4229 After adding @JsonSerialize(include = JsonSerialize.Inclusion.NON_DEFAULT) apiconfiguration regression fails
MGMT-4232 [EDGEX/Hybrid] Import API uploads doesn’t corrupt bundle
MGMT-4242 [EDGEX/Hybrid] Support proxy deployment to more than one environments
MGMT-4245 [EDGEX/Hybrid] VirtualHost self service validation for hybrid-virtual-hosts
MGMT-4250 [EDGEX] Parallel execution for API proxy deployment status API

17.09.06 (UI)

Issue ID Description
65015144 Analytics: Custom reports page filter has issue with integer value filter for Big Query customers
The custom reports page filter now handles integer values as expected.
64806976 Developer field is not populated in the Apps list page
The Developer field is now populated for all apps in the list.
64766918 API proxy editor's YAML support is broken
Fixed issue that was causing issue with YAML files in the API proxy editor.
64160572 Analytics: Remove Business Transactions from Analytics Menu and from proxy editor performance tab
The Business Transactions analytics dashboard is no longer supported. For alternatives, see the community article Alternative to Business Transactions API.

17.08.21.00 (portal)

Issue ID Description
DEVSOL‑2625 Monetization roles getting dropped after switching company
If you have monetization enabled, if you assign a role to a user and they switch from one company context to another, the role is no longer removed from the user.
DEVSOL-2621 Drupal modules updates
The following Drupal modules were updated to the release indicated:
  • File Entity (fieldable files) 7.x-2.4
  • Media 7.x-2.10
  • Media CKEditor 7.x-2.5
  • Media: YouTube 7.x-3.5
  • Metatag 7.x-1.22
  • Services Views 7.x-1.2
DEVSOL-2612

"Website encountered an error" message displayed while enabling Monetization
Fixed issue that occurred when enabling monetization modules. The message Website encountered an error was displayed with the following message in the logs:

Error: Call to a member function clear() on string in devconnect_monetization_clear_api_cache() (line 1517 of /var/www/html/profiles/apigee/modules/custom/devconnect
/devconnect_monetization/devconnect_monetization.module)

This error is no longer logged.

DEVSOL-2609 Drupal status page does not show proper Edge connection status for SAML (OAuth)
Drupal Status page now shows proper Edge connection status for SAML (OAuth). Previously, the Reports > Status reports page would show the connection was not working even if you had SAML properly configured.
DEVSOL-2608 SAML/OAuth: Log prints Bearer token cache miss with every call
Fixed issue with Bearer token cache logic that was causing system to get a new token each time it called Edge.
DEVSOL-2599 Multiple issues with devconnect_user_developer_is_active()
Fixed issue where the wrong developer's status was checked to decide if the user is active or not. If a developer account is disabled in the Edge UI causing the app keys to stop working, the system will now display a message to inform the developer. Also added performance improvements to this functionality.
DEVSOL-2595 SAML configuration enhancements and updates
The following enhancements and updates have been made to the SAML configuration:
  • The SAML configuration page is now editable. For more information, see Using SAML authentication.
  • The username field is now displayed in the UI.
  • Fixed drush "dc-test" call to use standard connection test function so it no longer ignores SAML configuration settings.
DEVSOL-2569 App Analytics: Endpoint Response Time is no longer working, changed to Total Response Time
Endpoint Response Time analytics graph has been removed from the Analytics tab on the Developer apps page since it did not reflect total response time and was causing confusion. The metric was reflecting only the time it took for the endpoint to respond, but not the time it took the API proxy to respond. The Throughput graph displays the total response time for end developers.

17.07.31.00 (portal)

Issue ID Description
DEVSOL‑2258 Some text fields cannot be translated into Portuguese
Added missing translation text in Drupal Dev Portal Apps module to Drupal Internationalization system. Previously, some text was not able to be translated on the "My Apps" pages.
DEVSOL-2536 Editing "app name" or "callback url" causes portal to remove API products from developer app
Updating a developer app will no longer result in API products being removed from the app.
DEVSOL-2519 Smartdocs has undeclared dependency on devconnect_developer_apps
Smartdocs module no longer has an unnecessary dependency on DevConnect developer apps module.
DEVSOL-2492 Incorrect HTML escaping in company page
Fixed issue where the monetization menus were displaying ampersands, such as, "Catalog & Plans", with HTML-encoding.
DEVSOL-2490 Improve usage of Rate plan date setters in monetization modules
Added better handling of Monetization rate plans across time zones.
DEVSOL-2440 Calling deprecated management "limits" API in dev portal results in 404s
Updated system to handle new view/purchase plan API in Monetization.
DEVSOL-2436 Table drupal_cache_mint missing in the DevPortal DB while trying to enable the Apigee_company Drupal module to enable monetization
Fixed issue where Monetization configuration will cause the following error: "ERROR: relation "drupal_cache_mint" does not exist".
DEVSOL-2419 Importing non-OpenAPI JSON as OpenAPI does not throw error messages
Importing an OpenAPI document into SmartDocs is now validated to make sure the document is an OpenAPI spec.
DEVSOL-2406 SmartDocs links, 'Revision Details' or 'Edit Revision', do not work
Fixed issue where 'Revision Details' or 'Edit Revision' in SmartDocs revisions action menu were displaying the wrong page.
DEVSOL-2382 "Lock SmartDocs method templates" functionality
Created a new permission "Administer SmartDocs templates" so that the ability to edit SmartDocs templates can be removed or limited to a role.
DEVSOL-2380 Undefined index error in Drupal logs
Removed the following misleading message in the Drupal log for Monetization-enabled sites: Undefined index: role in Apigee\ManagementAPI\Company->listDevelopers()
DEVSOL-2375 Invalid Address error in Drupal log
Fixed bug that caused invalid errors to be added to the log if the system did not have SMTP configured.
DEVSOL-2355 cURL timeout results in PHP warnings and bad logs in edge-php-sdk
Fixed bug where timeouts would result in poorly formatted log messages.
DEVSOL-2336 Monetization payment provider configuration update
The Configuration > Monetization Settings > Recurring Payment via Worldpay developer portal configuration page can now be used to configure WorldPay payment details.
DEVSOL-2307 Add warning/docs that apigee_company module can only be used with monetization
The apigee_company Drupal module requires Monetization to be enabled. If you enable the apigee_company module when Monetization is not enabled, a warning message is displayed in the Status report for the site.
DEVSOL-2270 After the latest release of monetization (2016-Oct-5th) cannot save Company info
Fixed issue in Monetization where company information would not save properly.
DEVSOL-2175 Me Aliases and core Statistics modules do not play well together
Drupal core and the "Me Aliases" contrib module were patched so that "Me Aliases" and the core Statistics module can be enabled at the same time. For more information, see https://www.drupal.org/node/1863260 and https://www.drupal.org/node/2076691.

Known Issues

This release has the following known issues:

Issue ID Description
72379834

Permission error message appears when stopping apigee-postgresql

When you use the apigee-seriver apigee-postgresql stop command to stop apigee-postgresql, you might see a message saying that apigee-serive cannot change to the user's home dir. You can ignore that message.

68722102

MessageLogging policy including extra information in the log message

The FormatMessage element of the MessageLogging policy controls the format of the logged message. When FormatMessage=false, the logged message is not supposed to include any Apigee-generated information. However, even if you set FormatMessage=false, the log message still includes the following information:

  • The priority score
  • The timestamp