Since the previous Edge for Private Cloud Feature Release, the following releases have occurred and are included in this Feature Release:
|Edge UI release||Edge management release||Portal release|
See About release numbering to understand how you can figure out whether a specific cloud release is included in your version of Edge for Private Cloud.
The most important new features in this release include:
- Upgrade to PostgreSQL 9.6
- Beta Release of the New Edge Experience for Private Cloud
- Beta release of three new policies that let you generate, verify, and decode JSON Web Tokens (JWT).
This release also includes all of the bug fixes and new features included in the Edge Public Cloud releases listed below.
Deprecations and retirements
The following features were deprecated or retired in this release. See the Edge deprecation policy for more information.
Deprecation of new installs of API BaaS
New customers as of January 31, 2018 are not eligible for API BaaS unless your specifications sheet highlights API BaaS entitlement.
Deprecation of Apigee secure store (vaults)
The Apigee secure store, also known as "vaults," is being deprecated and will be retired in September of 2018. Vaults, which provide encrypted storage of key/value pairs, are created with the management API and accessed at runtime with functions in the apigee-access Node.js module.
Instead of using the secure store, use encrypted key value maps (KVMs), as described in Working with key value maps. Encrypted KVMs are just as secure as vaults and provide more options for creation and retrieval. (MGMT-3848)
Deprecation for adding paths on the API proxy Performance tab
Up to this release, you could navigate to an API proxy in the management UI, go to the Performance tab, and create different paths for a chart-based comparison on the proxy's Performance tab and in the Business Transactions dashboard. This feature is now retired and is no longer available in the UI. For an alternative to this functionality, see the following Apigee Community article: https://community.apigee.com/articles/23936/alternative-to-business-transactions-api.html. (EDGEUI-902)
Deprecation of the SMTPSSL property to set the SMTP protocol for the Developer Services portal
You now use the
property, instead of the
SMTPSSL property, to set the protocol used by
the SMTP server connected to the portal. The valid values are: "standard", "ssl", or
See Developer Services portal installation for more.
New features and updates
Following are the new features and enhancements in this release. In addition to the following enhancements, this release also contains multiple usability, performance, security, and stability enhancements.
PostgreSQL upgrade to version 9.6
This release includes an upgrade to PostgreSQL 9.6 to allow Edge to take advantage of the Parallel Query feature in PostgreSQL. For more, see:
- Update Apigee Edge 4.17.0x to 4.18.01
- Update Apigee Edge 4.16.09 to 4.18.01
- Update Apigee Edge 4.16.01/4.16.05 to 4.18.01
Beta Release of the New Edge Experience for Private Cloud
This release of Edge for the Private Cloud contains a Beta release of a major update to to the API management user interface. This New Edge experience builds on top of the existing features of the Apigee Edge platform, and adds some enhancements, particularly in the areas of Design and Publishing.
The New Edge experience has previously been available only to Cloud users. With this release of Edge for the Private Cloud, you can now install the Beta version of the New Edge experience.
Beta release of the JWT policies
JSON Web Token (JWT) is a token standard described in IETF RFC 7519. JWT provides a way to sign a set of claims, in other words a set of name/value pairs, which can later be verified reliably by the recipient of the JWT.
This release contains three new policies that let you generate, verify, and decode JSON Web Tokens (JWT) on Apigee Edge:
- Generate JWT policy - Generates a signed JWT, with a configurable set of claims. The JWT can then be returned to clients, transmitted to backend targets, or used in other ways. See Generate JWT policy (Beta version) for more.
- Verify JWT policy - Verifies the signature on a JWT received from clients or other systems. This policy also extracts the claims into flow variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions. See Verify JWT policy (Beta version) for more.
- Decode JWT policy - Decodes a JWT without verifying the signature on the JWT. This policy is useful when used in concert with the JWT Verification Policy, when the value of a claim from within the JWT must be known before verifying the signature of the JWT. See Decode JWT policy (Beta version) for more.
See JWT policies overview for an overview.
OCSP stapling supported for virtual hosts (65587547)
Virtual hosts now support OCSP stapling for one-way and two-way TLS. When enabled, an OCSP (Online Certificate Status Protocol) client sends a status request to an OCSP responder to determine if the certificate is valid. The response indicates if the certificate is valid and not revoked.
By default OCSP stapling is off. TLS must be enabled on the virtual host to enable OCSP.
See Virtual host property reference for more.
Router retry options can now be set at the virtual host level
You can now set retry options for the Router's communications with the Message Processor on the virtual host. This gives you more fine-grained control than the previous options, which were only settable at the Router level.
For more information, see Virtual host configuration properties.
External Role Mapping support added (67145030)
If you are using External Authentication to integrate an external directory service into an Apigee Edge Private Cloud installation, you can now use External Role Mapping. External Role Mapping lets you map your own groups or roles to role-based access control (RBAC) roles and groups created on Apigee Edge.
The External Role Mapping service for Edge for Private Cloud releases prior to 4.18.01 has been deprecated. Release 4.18.01 of External Role Mapping is an updated version with bugs fixed and new features added:
- Fixed the problem where you received authentication 403 forbidden responses when authenticating with users who should have access.
X-Apigee-Current-Userheader is supported now in External Role Mapping. Users with proper access (sysadmin) can login as another user with self credentials.
See External Role Mapping for more.
Can now test system requirements without running an install (67858161)
Edge for the Private Cloud 4.17.09 added support for the
property to check CPU and memory requirements on a machine as part of an install. However, that
check required you to perform an actual install. You can now use the "
-t" flag to
make that check without having to do an install:
/opt/apigee/apigee-setup/bin/setup.sh -p aio -f configFile -t
This command displays any errors with the system requirements to the screen.
See Install Edge components on a node for more.
Updated PHP version for Developer Services portal (68733233)
The portal now uses PHP version 7.0.23.
No longer required to configure an SMTP server with the Developer Services portal (70164403)
You no longer are required to configure an SMTP server when installing the portal. You can now configure one post-installation.
Name validations on new entities (MGMT-4252 and MGMT-4098)
When you create new entities, Apigee validates the names to enforce naming rules. Entities being validated on creation or update are: API proxies, policies (and policy names in API proxy definitions), virtual hosts, roles, caches, target servers, data masks for debugging, keystores and truststores, and resource files in API proxies. See Naming and input error advisories for naming restrictions on these entities.
The following bugs are fixed in this release. This list is primarily for users checking to see if their support tickets have been fixed. It's not designed to provide detailed information for all users.
Private Cloud 4.18.01
PHP LDAP extension is now installed by default with portal
The PHP LDAP extension is now installed by default when installing the portal on RedHat and CentOS. This module makes enabling Drupal LDAP module easier.
The Drupal settings.php file is now writable
The portal install script now makes sure that the Drupal
|68139166||Installer output showed OpenLDAP being downgraded when it was not.|
|68329105||Portal setup fails to create a user when connecting to Edge when SAML is enabled and uses a self signed cert.|
|68427561||Portal configuration properties now set correctly after a restart.|
|69024465||Unable to undeploy SharedFlow in Edge UI|
|69711616||Updated Jackson Databind to version 18.104.22.168 in the third-party JARs.|
CSV file does not include the correct data for time frame (includes full set
|67650494||Edge UI should track environment changes
In some cases, environment changes were not persisted when moving between pages in the UI. This issue has been fixed.
|Issue ID||Component Name||Description|
|67646686||Developer Portal - Drupal||& displayed on Forum page
Fixed bug where the default Apigee theme shows "&" for any ampersands in the menu tabs.
|65456469||Developer Portal - Drupal||Update CAPTCHA module for security enhancements provided by the module
The CAPTCHA module has been updated to CAPTCHA 7.x-1.5 to fix a security vulnerability. For more information, see https://www.drupal.org/node/2907137.
|65101827||Developer Portal - Drupal||Company app analytics not working
Fixed bug where Monetization Company apps could not show any analytics data.
|65003870||Developer Portal - Drupal||Not able to cancel future rate plans
Fixed bug where future rate plans purchased by a company could not be cancelled.
|65003539||Developer Portal - Drupal||Use default country from Drupal locale
The Monetization Contact and Billing Details address now uses the default country from the Locale Default country setting. You can change this setting by selecting Configuration > Regional and language in the Drupal Administration menu. Changing the default locale changes the default country on the Monetization Contact and Billing Details section.
|67005192||UI needs to handle decoded paths when checking for permissions
The UI now handles decoded paths when checking user permissions.
17.09.20 (API management and runtime)
|Issue ID||Component Name||Description|
|MGMT-4219||API Management||MGMT to send org and env header to blobstore|
|MGMT-4065||API Management||Support enabled for PKS format certs|
|MGMT-3782||API Management||Optimal default consistency level value for identity-zone|
|MGMT-3913||API Management||Resolve timeout issue for retrieving OAuth2 tokens by an appId|
|MGMT-4177||API Management||Ability to disable Basic Authentication Scheme in SecurityProfile|
|MGMT-3978||API Management||Need a CWC token to set JVM_OPTIONS on all Java components|
|API Management||Auto URL-encode special characters in permission paths for custom roles|
|APIRT-4725||API Runtime||Fixed OAuth service NPE issue|
|APIRT-4691||API Runtime||Allow time to drain connections before killing unhealthy service|
|APIRT-4644||API Runtime||Basic authorization for BlobstoreService|
|APIRT-4636||API Runtime||Sense Action should continue to function if Zookeeper is down|
|APIRT-4635||API Runtime||Reuse refresh token attribute support enabled for OAuth policies|
|APIRT-4632||API Runtime||Rolling window quota counter not being calculated accurately|
|APIRT-4584||API Runtime||Flow hook not deploying consistently, ZooKeeper check not working|
|APIRT-4542||API Runtime||The MP Sense Task ended without notice|
|APIRT-4522||API Runtime||Analytics doesn't work for monetization-enabled message processors if the org region is different from the axgroup region|
|APIRT-4444||API Runtime||Compute error rates per target per error code|
|APIRT-4435||API Runtime||RepositoryServiceImpl.loadAsString() doesn't use charset|
|APIRT-4370||API Runtime||High memory usage on org MPs|
|APIRT-4354||API Runtime||Capture TLS version in Nginx access_log for every request|
|APIRT-4169||API Runtime||Current version of Nginx doesn't support variable combination required for
|APIRT-3671||API Runtime||Tokens are not recorded as hashed after turning on hashing|
|APIRT-3593||API Runtime||OAuth token not holding the set attribute in a subsequent call|
|APIRT-3081||API Runtime||messaging.adaptors.http.flow.ServiceUnavailable error with Concurrent Rate Limit policy|
|APIRT-4660||API Runtime||Add MP pod name in the header to router X-Apigee-Pod|
|APIRT-4506||API Runtime||Cache changes are not getting replicated to a specific message processor|
|APIRT-4196||API Runtime||Message Logging policy syslog timestamp format is not correct|
|66933664||API Runtime||QuotaService for non-CPS flow should clean up buckets asynchronously and not in Apigee-Main thread|
|65847462||API Runtime||print statement fails with NPE|
|65648578||API Runtime||Only MPs should register in consul KV path|
|67405744||Apigee||High request processing latency on MPs|
|65849186||Trireme||Unhandled exceptions does not cause Node.js/Trireme process to exit|
|65713882||Trireme||mongodb-core in Trireme produces different crypto results than native Node.js|
|65374484||Trireme||Node security: http.get with numeric authorization options creates uninitialized buffers|
|64577449||Trireme||Trireme returns Invalid verify algorithm sha256 error|
|EDGESERV‑6||Edge Server||Node apps experiencing x_apigee_fault_code: "scripts.node.runtime.ScriptExecutionError"|
|65584963||Analytics: Custom reports filter needs to have case-insensitive check for data
The custom reports filter is now case-insensitive for data type comparisons.
|65446846||Unable to assign administrator role for a company in Edge UI
The full set of developers and companies are displayed and can be managed in the Edge UI.
|65125644||Cannot remove an API product from a credential for Company App
An issue has been fixed that was preventing an API product from being removed from a credential for a company app.
17.09.11 (API management)
|64541665||Change source logger configuration on MP to have different log names|
|APIRT‑3593||OAuth token not holding the set attribute in a subsequent call|
|APIRT-4336||Split the OAuthStepExecution into multiple step executions. Each of the operation should have a dedicated step execution|
|APIRT-4444||Compute error rates per target per error code|
|APIRT-4456||Refactor Verify API Key for EAP-gateway/apid|
|APIRT-4635||Reuse refresh token attribute support enabled for OAuth policies|
|APIRT-4683||Add GCP LB IPs as Trusted for XFF Headers|
|APIRT-4723||OAuth bundle load support for EdgeX/Hybrid mode|
|APIRT-4725||Fixed OAuth service NPE issue|
|APIRT-4726||ScriptableHttpClient should not assume a message context is still present at send time|
|MGMT‑3764||Invalid keystore no longer gets through management|
|MGMT-3782||Optimal default consistency level value for identity-zone|
|MGMT-3913||Resolve timeout issue for retrieving OAuth2 tokens by an appId|
|MGMT-3997||Deleting keystores should not be allowed if there's a reference pointing to it|
|MGMT-4013||Updating the keystore reference checks for existence of keystore and referenced alias|
|MGMT-4065||Support enabled for PKS format certs|
|MGMT-4113||Self service virtual host feature enhancement|
|MGMT-4229||After adding @JsonSerialize(include = JsonSerialize.Inclusion.NON_DEFAULT) apiconfiguration regression fails|
|MGMT-4232||[EDGEX/Hybrid] Import API uploads doesn’t corrupt bundle|
|MGMT-4242||[EDGEX/Hybrid] Support proxy deployment to more than one environments|
|MGMT-4245||[EDGEX/Hybrid] VirtualHost self service validation for hybrid-virtual-hosts|
|MGMT-4250||[EDGEX] Parallel execution for API proxy deployment status API|
|65015144||Analytics: Custom reports page filter has issue with integer value filter for
Big Query customers
The custom reports page filter now handles integer values as expected.
|64806976||Developer field is not populated in the Apps list page
The Developer field is now populated for all apps in the list.
|64766918||API proxy editor's YAML support is broken
Fixed issue that was causing issue with YAML files in the API proxy editor.
|64160572||Analytics: Remove Business Transactions from Analytics Menu and from proxy
editor performance tab
The Business Transactions analytics dashboard is no longer supported. For alternatives, see the community article Alternative to Business Transactions API.
|DEVSOL‑2625||Monetization roles getting dropped after switching company
If you have monetization enabled, if you assign a role to a user and they switch from one company context to another, the role is no longer removed from the user.
Drupal modules updates
The following Drupal modules were updated to the release indicated:
"Website encountered an error" message displayed while enabling
This error is no longer logged.
|DEVSOL-2609||Drupal status page does not show proper Edge connection status for SAML
Drupal Status page now shows proper Edge connection status for SAML (OAuth). Previously, the Reports > Status reports page would show the connection was not working even if you had SAML properly configured.
|DEVSOL-2608||SAML/OAuth: Log prints Bearer token cache miss with every call
Fixed issue with Bearer token cache logic that was causing system to get a new token each time it called Edge.
|DEVSOL-2599||Multiple issues with devconnect_user_developer_is_active()
Fixed issue where the wrong developer's status was checked to decide if the user is active or not. If a developer account is disabled in the Edge UI causing the app keys to stop working, the system will now display a message to inform the developer. Also added performance improvements to this functionality.
SAML configuration enhancements and updates
The following enhancements and updates have been made to the SAML configuration:
|DEVSOL-2569||App Analytics: Endpoint Response Time is no longer working, changed to Total
Endpoint Response Time analytics graph has been removed from the Analytics tab on the Developer apps page since it did not reflect total response time and was causing confusion. The metric was reflecting only the time it took for the endpoint to respond, but not the time it took the API proxy to respond. The Throughput graph displays the total response time for end developers.
|DEVSOL‑2258||Some text fields cannot be translated into Portuguese
Added missing translation text in Drupal Dev Portal Apps module to Drupal Internationalization system. Previously, some text was not able to be translated on the "My Apps" pages.
|DEVSOL-2536||Editing "app name" or "callback url" causes portal to remove API products from
Updating a developer app will no longer result in API products being removed from the app.
|DEVSOL-2519||Smartdocs has undeclared dependency on devconnect_developer_apps
Smartdocs module no longer has an unnecessary dependency on DevConnect developer apps module.
|DEVSOL-2492||Incorrect HTML escaping in company page
Fixed issue where the monetization menus were displaying ampersands, such as, "Catalog & Plans", with HTML-encoding.
|DEVSOL-2490||Improve usage of Rate plan date setters in monetization modules
Added better handling of Monetization rate plans across time zones.
|DEVSOL-2440||Calling deprecated management "limits" API in dev portal results in
Updated system to handle new view/purchase plan API in Monetization.
|DEVSOL-2436||Table drupal_cache_mint missing in the DevPortal DB while trying to enable the
Apigee_company Drupal module to enable monetization
Fixed issue where Monetization configuration will cause the following error: "ERROR: relation "drupal_cache_mint" does not exist".
|DEVSOL-2419||Importing non-OpenAPI JSON as OpenAPI does not throw error messages
Importing an OpenAPI document into SmartDocs is now validated to make sure the document is an OpenAPI spec.
|DEVSOL-2406||SmartDocs links, 'Revision Details' or 'Edit Revision', do not
Fixed issue where 'Revision Details' or 'Edit Revision' in SmartDocs revisions action menu were displaying the wrong page.
|DEVSOL-2382||"Lock SmartDocs method templates" functionality
Created a new permission "Administer SmartDocs templates" so that the ability to edit SmartDocs templates can be removed or limited to a role.
|DEVSOL-2380||Undefined index error in Drupal logs
Removed the following misleading message in the Drupal log for Monetization-enabled sites:
|DEVSOL-2375||Invalid Address error in Drupal log
Fixed bug that caused invalid errors to be added to the log if the system did not have SMTP configured.
|DEVSOL-2355||cURL timeout results in PHP warnings and bad logs in edge-php-sdk
Fixed bug where timeouts would result in poorly formatted log messages.
|DEVSOL-2336||Monetization payment provider configuration update
The Configuration > Monetization Settings > Recurring Payment via Worldpay developer portal configuration page can now be used to configure WorldPay payment details.
|DEVSOL-2307||Add warning/docs that apigee_company module can only be used with
The apigee_company Drupal module requires Monetization to be enabled. If you enable the apigee_company module when Monetization is not enabled, a warning message is displayed in the Status report for the site.
|DEVSOL-2270||After the latest release of monetization (2016-Oct-5th) cannot save Company
Fixed issue in Monetization where company information would not save properly.
|DEVSOL-2175||Me Aliases and core Statistics modules do not play well together
Drupal core and the "Me Aliases" contrib module were patched so that "Me Aliases" and the core Statistics module can be enabled at the same time. For more information, see https://www.drupal.org/node/1863260 and https://www.drupal.org/node/2076691.
This release has the following known issues:
Permission error message appears when stopping apigee-postgresql
When you use the
MessageLogging policy including extra information in the log message