What's new in the latest release (version 10.0.8.0)

Product files and release notes

Upgrading from API Connect 10.0.5.x

If you're upgrading to 10.0.8.x from 10.0.5.x, you should also note the major updates that were delivered to API Connect in versions 10.0.6.0 and 10.0.7.0. For a list of the key changes, see Upgrading to 10.0.8.x from 10.0.5.x.

What's new for Developers

Support for OIDC discovery

API Connect now provides native support for OIDC discovery, which allows a client to query attributes of the provider itself. You can supply the provider's URL as the OpenIDConnect Discovery path while Configuring the OIDC parameters for a native OAuth provider.

The Automated API behavior testing application is now available from the API Manager home page

If your cloud administrator installed the Automated API behavior testing application, you can access it by clicking the Test tile on the API Manager home page. For information on using the test application, see Testing an API with Automated API behavior testing.

New API discovery capability

Now, you can quickly discover the APIs in your organization, and pull them automatically into your API Manager, by using GitHub, DataPower® API Gateway proxy, and OpenTelemetry collectors. For more information, see API discovery.

Governance service updates

The following updates to the governance service are now available:

• The governance service is now available from the main navigation bar by clicking the Governance icon . Previously, the governance service was accessed from the Resources section.
• You can now run scans on your catalogs and spaces to validate the APIs that they contain by using Spectral rulesets. For more information, see Scanning your catalogs and spaces.
• The ability to create and manage product rulesets, as well as API rulesets, is now available; see Configuring governance in the Cloud Manager, and Configuring governance in the API Manager.
• You can now also run validation scans on your product documents, as well as on your API documents. For more information, see Validating an API or product document by using the governance service.
• Spectral 2.0.1 is now supported.

LoopBack is no longer supported

Beginning with API Connect 10.0.8.0, LoopBack is no longer supported. LoopBack is not included with the toolkit, and is not discussed in this documentation.

Toolkit CLI documentation relocated

The toolkit CLI documentation is now published at https://ibm-apiconnect.github.io/clidocs, instead of in the reference section of this collection.

Importing AsyncAPI with Event Endpoint Management

You can now import an AsyncAPI that was exported from Event Endpoint Management. For more information, see Importing an AsyncAPI from Event Endpoint Management.

Creating AsyncAPI with Event Endpoint Management

You can now create AsyncAPI by using Event Endpoint Management. AsyncAPI managed in Event Endpoint Management is read only in API Connect. For more information, see Creating an AsyncAPI with Event Endpoint Management.

View the subscription task approval history

You can now view the complete history of subscription task approvals. For more information, see Approving product lifecycle and subscription requests.

Download event logs from the gateway service

You can now download event logs from the gateway service. For more information, see Reviewing processing status and downloading event logs for gateway.

Added OAuth authorization support for four grant types

Added OAuth authorization support for the following four grant types:

• Access Code
• Application
• Implicit
• Password

For more information, see Sending the API request.

What's new for API product managers

New Consumer Catalog for testing and subscribing to APIs

You can now use a Consumer Catalog for testing and subscribing to APIs. The Consumer Catalog is a non-customizable, self-service, web-based site for application developers to test and subscribe to the APIs that are published in your catalog. The site uses less resources when compared to the Developer Portal, and offers quick and basic credential access. The Consumer Catalog is ideal for smaller API catalogs and internal users, who are looking for a lightweight consumer experience with basic functionality. A customer can have either a Developer Portal or a Consumer Catalog to test and subscribe to the APIs that are published in your catalog.

For more information, see Consumer Catalog and Developer Portal considerations.

New graphical representation of API event latency

The API latency visualizer has a new horizontal bar that highlights where most of time is spent in the processing of an API call.

Analytics event_id generation

The auto-generated event_id for analytics API events is now generated based on a hashed version of the datetime, transaction_id, and client_id fields combined by using the SHA1 algorithm.

This change prevents the analytics subsystem from ingesting duplicated API events, which can be caused by gateway failure.

New gateway_type field in analytics API events

The API event records have a new field gateway_type that indicates the type of gateway and version that processed the API call. For example, apigw/10.5.3.0. API event record fields are listed in API event fields.

All gateway types except for the V5 compatible gateway (v5c), set the new gateway_type field when they generate API events.

New log_policy filter option to select API events by logging type

Filter the view of your API events by log policy. An example use case is when your analytics persistent storage is near its limit and you want to identify all APIs that are set to payload logging. Disabling payload logging on your APIs reduces persistent storage use.

New analytics chart that shows the distribution of API calls across catalogs

If the same API is published to multiple catalogs, the new chart shows how calls to that API are distributed across your catalogs.

Analytics consumer's user agent string parsed to provide more details about the user

To provide more information on who is calling your APIs, the consumer's http_user_agent string is parsed into individual fields in the API event record, such as user_agent.os_version. The full list of user_agent fields is documented in API event fields.

Analytics reports can be exported from the UI as PDF

The detailed reports in Cloud Manager and API Manager UIs can be exported to PDF.

Analytics dashboards updated

The following analytics dashboards are updated and the charts are redistributed across the updated dashboards to eliminate duplication:

• New dashboards: Summary, Applications, Client information, Consumers.
• Removed dashboard: Usage.
• Renamed dashboards:
  • Monitoring Latency => Latency.
  • Monitoring Data => Data Transfer.
  • Monitoring Status => Status.

Analytics deprecated product report

The new report identifies which deprecated products are still being called. With this information, you can identify the consumers who are still using the deprecated APIs and encourage them to switch the new APIs.

Analytics reports available at space scope

All analytics reports are now available at the space scope, in addition to the existing cloud, provider organization, and catalog scopes.

Links to live analytics data from analytics reports

New Jump to live data button in the detailed analytics reports. Click Jump to live data to switch to the Discover view and see the current live data at the scope of the report.

Bookmark and share links to specific analytics pages, reports, and dashboards

You can bookmark and share analytics pages, reports, and dashboard views that include your filters.

Analytics CLI bucket_interval query parameter

The analytics CLI dashboards query has a new query parameter: bucket_interval. The bucket_interval parameter allows you to specify the interval between data points. For example, if you are querying for analytics data for the last week (specified with the --timeframe parameter), and you want 4 data points per day, then set bucket_interval to 6 hours (6h).

The CLI apic dashboards operations are documented here: https://ibm-apiconnect.github.io/clidocs/docs/v1008/analytics/apic_dashboards

Analytics GeoIP is enabled by default

The analytics ingestion.geoIPEnabled property is set to true by default.

When ingestion.geoIPEnabled is set to true, geographical information that is related to the callers IP address is included in API event records.

New links to analytics data from API Manager UI

The Manage Catalog and Manage Space views now have links to the analytics data and reports.

Consumer organization reports include a table of applications that are owned by the consumer

The detailed reports for consumer organizations now include a table that shows the applications that are in the consumer organization, and how many API calls each application made. Clicking the application name in this table takes you to the detailed report for the application. The application reports also include a link to the owning consumer organization report.

Analytics Logstash gelf output plug-in removed.

The output plug-in https://www.elastic.co/guide/en/logstash/current/plugins-outputs-gelf.html is removed from the analytics subsystem.

What's new for API consumers

New Consumer Catalog for testing and subscribing to APIs

API consumers can now use a Consumer Catalog for testing and subscribing to APIs. The Consumer Catalog is a non-customizable, self-service, web-based site for application developers to test and subscribe to APIs. The site uses less resources when compared to the Developer Portal, and offers quick and basic credential access. The Consumer Catalog is ideal for smaller API catalogs and internal users, who are looking for a lightweight consumer experience with basic functionality. You can have either a Developer Portal or a Consumer Catalog to test and subscribe to the APIs that are published in a catalog.

For more information, see Consumer Catalog and Developer Portal considerations.

What's new for Developer Portal site administrators

Updates to the custom-module and custom-theme Developer Portal commands

The custom-module:create-import and custom-theme:create-import commands now include a --wait flag to give you more control over the command completion time. Previously, the cache rebuild was automatically included as part of the task. Now, if you want to include the cache rebuild as part of the task, you must include the --wait flag. If you run the commands without the --wait flag, the cache is rebuilt in the background after the task is complete. For more information, see Using the custom-module commands and Using the custom-theme commands.

New Developer Portal maintenance commands

The following maintenance commands can be used to manage the maintenance operations on your Developer Portal:

• apic maintenance:disable - Disable your maintenance operations.
• apic maintenance:enable - Enable your maintenance operations.
• apic maintenance:rebuild_node_access - Rebuild the node access table for your maintenance operations.
• apic maintenance:search_api_index_rebuild - Rebuild and re-index the search API index of your maintenance operations.
• apic maintenance:search_api_index_status - Print the search API index of your maintenance operations.
• apic maintenance:status - Get the current mode of your maintenance operations.

For more information, see Using the maintenance commands.

New Developer Portal memcache commands

The following memcache commands can be used to manage the default caching store operations on your Developer Portal:

• apic memcache:disable - Disable your default caching store operations and set Drupal to use database as its cache.
• apic memcache:enable - Enable your default caching store operations and set Drupal to use RAM as its cache.
• apic memcache:get - Get the status of your memcache enabled operations.

For more information, see Using the memcache commands.

New Developer Portal role commands

The following role commands can be used to complete some Drupal role management tasks on your Developer Portal:

• apic role:create - Create a new user role.
• apic role:delete - Delete an unwanted user role.
• apic role:add-permission - Add one or more permissions to a user role.
• apic role:remove-permission - Remove one or more permissions from a user role.
• apic role:get - Get the details of a specific user role as well as the permissions available.
• apic role:list - List the roles based on a specific role or permission.

For more information, see Using the role commands.

New Developer Portal sites command

You can now use a sites:reset-upgrade-attempts command to reset the upgrade attempt counter within the Developer Portal, so that failed upgrades can be retried. For more information, see Using the sites commands.

New Developer Portal queue commands

Use the queue commands to list the queued and locked platform tasks on your Developer Portal site. For more information, see Using the queue commands.

New Developer Portal user commands

The following user commands can be used to complete some Drupal user management tasks on your Developer Portal:

• apic user:add-role - Add one or more roles to one or more specified user accounts.
• apic user:block - Block one or more users.
• apic user:information - Retrieve information about your users.
• apic user:remove-role - Remove one or more roles from one or more specified user accounts.
• apic user:unblock - Unblock one or more users.

For more information, see Using the user commands.

Removing keys that begin with x-ibm from the OpenAPI document download

By removing the keys that begin with x-ibm from the OpenAPI document download, you can download the OpenAPI documents without any key-value pairs that are IBM specific. Enabling this configuration setting removes the information about the API Management provider from the OpenAPI document that is downloaded in the Developer Portal.

For more information, see Removing keys beginning with x-ibm from OpenAPI document download.

What's new for DevOps

Upgrading the Management subsystem from 10.0.7.0 on VMware requires maintenance mode

If you are upgrading from 10.0.7.0 to 10.0.8.0, you must enable maintenance mode for the Management subsystem before you begin the upgrade. For more information, see step Upgrading management, portal, and analytics on VMware.

New cluster management operations in the analytics API for monitoring analytics ingestion

The Logstash APIs can now be run from the analytics REST API and toolkit CLI to provide more information on analytics ingestion.

Logstash API reference: https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html.

VMware apicup certs list command checks for certificate expiry

The apicup certs list command that is used on VMware now checks the expiry date of all certificates that are managed by apicup. A warning is output for any certificates that are expired or close to expiry.

For more information about checking certificate expiry on VMware, see Certificate expiry and renewal.

Analytics database backup updates

The analytics database backups can now be directed to a remote SFTP server, or stored locally.

The configuration of analytics backups and the restore procedures is simplified to two restore options:

• Repair. Restores indexes that are corrupted or missing.
• Replace. Restores all data from the backup, overwriting any existing data.

Object-store backups now support path-style hosts.

Note: Analytics database backups that were taken on an earlier release cannot be restored on V10.0.8.0.

Analytics n3xc4.m16 profile is deprecated

If you are using the analytics n3xc4.m16 component profile, then switch to the n3xc4.m32 profile. You can switch to the n3xc4.m32 profile before or after you upgrade to V10.0.8.0. If you continue with the n3xc4.m16 profile on V10.0.8.0, then your analytics subsystem might encounter memory limits that inhibit how much analytics data you can retain.

Top-level CR deployment profiles n3xc16.m48 and n3xc12.m40 deprecated

The top-level CR deployment profiles n3xc16.m48 and n3xc12.m40 are deprecated, and replaced with the profiles n3xc16.m64 and n3xc12.m56. It's recommended that you switch to one of these new profiles after the upgrade to 10.0.8.0 is complete. For information about switching profile, see Changing deployment profiles on OpenShift top-level CR.

Dedicated storage is the default storage type for analytics

For three replica analytics deployments, the dedicated storage type is now the default type. Not applicable to one replica deployments where the only available storage type is shared.

Backup and restore that uses OADP

For Cloud Pak for Integration users, API Connect subsystem backups can be configured with Red Hat OpenShift API for Data Protection (OADP). For more information about OADP, see Administering backup and restore in Cloud Pak for Integration.

Cloud Pak for Integration integration during installation

The default value for metadata.annotations.apiconnect-operator/cp4i is now false in all installation scenarios except for installation with the Cloud Pak for Integration Platform UI.

For more information about Cloud Pak for Integration and API Connect integration, see OpenShift: Deciding to use individual CRs, a top-level CR, or Cloud Pak for Integration.

New API discovery optional add-on service

API discovery is an optional add-on to API Connect that can be used to quickly discover the APIs in your organization, and pull them automatically into your API Manager. For information about how to enable API discovery, see Enabling API discovery on Kubernetes and Enabling API discovery on VMware.

Cert-manager is upgraded to version 1.12.10

API Connect 10.0.8.0 uses cert-manager 1.12.10. If your environment requires a manual installation or upgrade of cert-manager, the instructions are included as part of the API Connect installation and upgrade procedures.

Backup certificates requirement for VMware

On VMware deployments, to fully backup API Connect you must run a script to extract the management subsystem certificates. For more information, see Backup management certificates.

LDAP connection pooling for DataPower API Gateway

API Connect now supports LDAP connection pooling for the DataPower API Gateway service. Connection pooling reduces overhead and improves performance by maintaining a pool of connections and assigning them as needed. For more information, see the options in step 4 of Registering a gateway service.

SFTP management database backup support

The management subsystem database can be backed up to a remote SFTP server. In V10.0.7.0, only S3-compatible object-store is supported.

The CRD installation and upgrade processes now require additional parameters

In 10.0.8.0, CRD sizes increased. To ensure successful updates to a CRD, include the --server-side and --force-conflicts parameters in the kubectl apply command during installation or upgrade of CRDs.

The following topics now use the updated command to install or upgrade CRDs:

• Upgrading API Connect on Kubernetes
• Deploying operators in a single-namespace API Connect cluster
• Deploying operators in a multi-namespace API Connect cluster

Rollback scenarios for VMware upgrades

If certain known problems are encountered during the upgrade process on VMware, a rollback is performed automatically.

In all cases, contact IBM Support for help with resolving the underlying problem before you reattempt the upgrade. For more information, see Upgrade fails with an automatic rollback.

New flag for install command when upgrading from 10.0.5.x on VMware

When running the install command to upgrade the management subsystem from 10.0.5.x on VMware, use the --force-operand-update flag to bypass the Warning state that occurs due to the change from the Crunchy database to EDB. This new flag is included in the upgrade instructions in Upgrading management, portal, and analytics on VMware.

New OIDC registry option to return third-party tokens as separate claims

By default, OIDC third-party tokens are returned as part of the access_token that is issued by API Connect. Returning the OIDC third-party tokens as separate claims prevents the access_token from growing too large. For more information, see Configuring an OIDC user registry in Cloud Manager.

Event Gateway Service provides access to event endpoints managed by the Event Endpoint Management application

You can configure your IBM Event Endpoint Management instance to be registered as an Event Gateway Service in API Connect. With the Event Gateway Service, application developers can discover event endpoints and configure applications to access them through the event gateway.