4.53.00.02 - Edge for Private Cloud release notes

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

On December 19, 2024, we released a new version of Apigee Edge for Private Cloud.

Update procedure

This section describes how to install this release if you are updating from the previous release of Edge for Private Cloud. If you need to update from an earlier release, see Applying Multiple Patch Versions.

Updating this release will update the components listed below:

  • apigee-nginx-1.26.1-el8.x86_64.rpm
  • apigee-nginx-1.26.1-el9.x86_64.rpm
  • apigee-qpidd-8.0.6-0.0.2534.noarch.rpm
  • apigee-sso-4.53.00-0.0.21506.noarch.rpm
  • apigee-tomcat-9.0.86-0.0.948.noarch.rpm

You can check the RPM versions currently installed to see if they need to be updated by entering:

apigee-all version

To update your installation, perform the following procedure on the Edge nodes:

  1. On all Edge nodes:

    1. Clean the Yum repositories: 
      sudo yum clean all
    2. Download the latest Edge 4.53.00 bootstrap_4.53.00.sh file to /tmp/bootstrap_4.53.00.sh: 
      curl https://software.apigee.com/bootstrap_4.53.00.sh -o /tmp/bootstrap_4.53.00.sh
    3. Install the Edge 4.53.00 apigee-service utility and dependencies: 
      sudo bash /tmp/bootstrap_4.53.00.sh apigeeuser=uName apigeepassword=pWord

      where uName and pWord are the username and password you received from Apigee. If you omit pWord, you will be prompted to enter it.

    4. Use the source command to execute the apigee-service.sh script: 
      source /etc/profile.d/apigee-service.sh
  2. On all Qpid nodes, execute the update.sh script: 
    /opt/apigee/apigee-setup/bin/update.sh -c qpid -f configFile
  3. On SSO nodes, follow the procedure detailed in the Steps for updating Apigee SSO from older versions section:
    4. /opt/apigee/apigee-setup/bin/update.sh -c sso -f configFile

Steps for updating Apigee SSO from older versions

In Edge for Private Cloud 4.53.00, the IDP keys and certificates used in the apigee-sso component are now configured through a keystore. You will need to export the key and certificate used earlier into a keystore, configure it, and then proceed with the SSO update as usual.

  1. Identify the existing key and certificate used for configuring IDP:

    1. Retrieve the certificate by looking up the value of SSO_SAML_SERVICE_PROVIDER_CERTIFICATE in the SSO installation configuration file or by querying the apigee-sso component for conf_login_service_provider_certificate.

      Use the following command on the SSO node to query apigee-sso for the IDP certificate path. In the output, look for the value in the last line.

      apigee-service apigee-sso configure -search conf_login_service_provider_certificate

    2. Retrieve the key by looking up the value of SSO_SAML_SERVICE_PROVIDER_KEY in the SSO installation configuration file or by querying the apigee-sso component for conf_login_service_provider_key.

      Use the following command on the SSO node to query apigee-sso for the IDP key path. In the output, look for the value on the last line. 

      apigee-service apigee-sso configure -search conf_login_service_provider_key
  2. Export the key and certificate to a keystore:
    1. Export the key and certificate to a PKCS12 keystore: 
      sudo openssl pkcs12 -export -clcerts -in <certificate_path> -inkey <key_path> -out <keystore_path> -name <alias>

      Parameters:

      • certificate_path: Path to the certificate file retrieved in Step 1.a.
      • key_path: Path to the private key file retrieved in Step 1.b.
      • keystore_path: Path to the newly created keystore containing the certificate and private key.
      • alias: Alias used for the key and certificate pair within the keystore.

      Refer to the OpenSSL documentation for more details.

    2. (Optional) Export the key and certificate from PKCS12 to a JKS keystore: 
      sudo keytool -importkeystore -srckeystore <PKCS12_keystore_path> -srcstoretype PKCS12 -destkeystore <destination_keystore_path> -deststoretype JKS -alias <alias>

      Parameters:

      • PKCS12_keystore_path: Path to the PKCS12 keystore created in Step 2.a, containing the certificate and key.
      • destination_keystore_path: Path to the new JKS keystore where the certificate and key will be exported.
      • alias: Alias used for the key and certificate pair within the JKS keystore.

      3. Refer to the keytool documentation for more details.

  3. Change the owner of the output keystore file to the "apigee" user: 
    sudo chown apigee:apigee <keystore_file>
  4. Add the following properties in Apigee SSO configuration file and update them with the keystore file path, password, keystore type, and alias: 
    # Path to the keystore file
SSO_SAML_SERVICE_PROVIDER_KEYSTORE_PATH=${APIGEE_ROOT}/apigee-sso/source/conf/keystore.jks

# Keystore password
SSO_SAML_SERVICE_PROVIDER_KEYSTORE_PASSWORD=Secret123  # Password for accessing the keystore

# Keystore type
SSO_SAML_SERVICE_PROVIDER_KEYSTORE_TYPE=JKS  # Type of keystore, e.g., JKS, PKCS12

# Alias within keystore that stores the key and certificate
SSO_SAML_SERVICE_PROVIDER_KEYSTORE_ALIAS=service-provider-cert
  5. Update Apigee SSO software on the SSO node as usual using the following command: 
    /opt/apigee/apigee-setup/bin/update.sh -c sso -f /opt/silent.conf

Bug fixes

This section lists the Private Cloud bugs that were fixed in this release.

Issue ID Description
379446933 Fixed the issue preventing nginx from binding to port 443.

Security issues fixed

The following is a list of known security issues that have been fixed in this release. To avoid these issues, install the latest version of Edge Private Cloud.

Issue ID Description
344961470 Patched QPID management portal for an XSS vulnerability.

Changes to supported software

No support for new software has been included in this release.

Deprecations and retirements

There are no new deprecations or retirements in this release.

New features

This section lists new features in this release.

Issue ID Description
379125083 Enabled Single Sign-On (SSO) functionality in FIPS-enabled RHEL-8 environments.
379125495 SSO now accepts keys and certificates for IDP in keystore format.

Known issues

See Known issues with Edge for Private Cloud for a complete list of known issues.

Applying multiple patch versions

This section describes how to apply multiple patch versions, in case you are updating from a version of Edge for Private Cloud that is earlier than the previous patch release version.

Each patch release contains updates to specific components of Edge for Private Cloud, such as edge-management-server. To apply multiple patch versions, you need to update each Edge component that was included in a patch release later than your currently installed version. You can find these components by looking at the Edge for Private Cloud release notes for all versions later than your current version, and checking the list of RPMs for those releases. See Apigee Release Notes for links to all Edge for Private Cloud release notes.

Note: You only need to update each component once, by installing the RPM for the latest version of the component included in the patch releases. Follow the instructions in the release notes for that version to update the component.

Note: Upgrading a component automatically installs the latest patch version of a component. If you want to upgrade to a patch version that is not the latest, you need to maintain your own tarball copy of Apigee's repo using Apigee mirror, and use this mirror for Apigee installations. For more information, refer to Using a local Edge repository to maintain your Edge version.