Changed in 10.5.0
IBM® DataPower® Gateway 10.5.0 introduces the following value and behavioral changes.
Value changes
Since the previous long-term support (LTS) release, the following value changes apply.
Function area | What changed | Previous | Current |
---|---|---|---|
Password aliases | 10.5.0.12 - Maximum character length of plaintext and encrypted password | 127 | 512 |
Probe settings | 10.5.0.9 - Metric, supported range, and default value for expiration of captured data. |
|
|
GUI | 10.5.0.3 - Object names in GUI | When you used the GUI search to find an object class by name, the following
objects started with the word Crypto.
|
When you use the GUI search to find an object class by name, these objects no longer start with the word Crypto. |
GUI | 10.5.0.0 - Action name in GUI. | Archive/purge transactions | Purge B2B transaction data |
Behavioral changes
Since the previous long-term support (LTS) release, the following behavior changes apply. These
changes apply to the 10.0.1.5 or later fix packs.
- Default SSH cipher suites and MAC algorithms
- 10.5.0.11 - Due to vulnerabilities, SSH profiles no longer have the following cipher suites and
MAC algorithms as default values.
- Cipher suites
-
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com
rijndael-cbc@lysator.liu.se
- MAC algorithms
-
hmac-sha1-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
- Value of
X-Post-Body-In
header - 10.5.0.10 - The header value is now encoded. If the value is greater than or equal to 63537 characters, the data is truncated to 63536 characters.
- Detailed information in the memory status provider (show memory command)
- 10.5.0.7 - The calculations for memory usage (%) and used memory (KB) changed. If you use the
data for either of these properties in scripts, you might need to modify your scripts to account for
this change. Without any change to your system, memory usage reports a greater percentage.
- Memory usage calculation
- Now, the percentage of installed memory that is in use, which is
Used/Installed
. Previously, the percentage of total memory that was in use, which was(Total-Free)/Total
. - Used memory calculation
- Now, the amount of installed memory in KB minus the amount of available memory, which is
Installed-Available
. Previously, the amount of total memory in KB minus the amount of free memory, which wasTotal-Free
.
- Escape sequence and API paths
- 10.5.0.6 - Meta characters in API paths are automatically escaped. Therefore, remove the
\
character from any API path that uses this character for an escape sequence. - Scope handling by third-party OAuth providers
- 10.5.0.6 - When token validation requirements are set to
200 OK + active:true
, validation requirements are strictly checked against response scopes in the response body. When the OAuth security requirement defines scopes that are not a subset of response scopes, the request is denied unless advanced scope checks are enabled. For more information, see Configuring a third-party product as the OAuth provider. - Disable all hardware crypto features on a tenant.
- 10.5.0.3 - When you configured a tenant on an HSM enabled appliance, you no longer need to disable all hardware crypto features on a tenant.
- Default cipher suites for new TLS client and server profiles.
- 10.5.0.3 - When you create a TLS client or server profile, the following suites are no longer
defined as default cipher suites.
DHE_DSS_WITH_AES_256_GCM_SHA384 DHE_DSS_WITH_AES_256_CBC_SHA256 DHE_DSS_WITH_AES_256_CBC_SHA RSA_WITH_AES_256_GCM_SHA384 RSA_WITH_AES_256_CBC_SHA256 RSA_WITH_AES_256_CBC_SHA DHE_DSS_WITH_AES_128_GCM_SHA256 DHE_DSS_WITH_AES_128_CBC_SHA256 DHE_DSS_WITH_AES_128_CBC_SHA RSA_WITH_AES_128_GCM_SHA256 RSA_WITH_AES_128_CBC_SHA256 RSA_WITH_AES_128_CBC_SHA
- Customizing ranges in
DateTime
custom scalars - 10.5.0.2 - To comply with the most recent GraphQL
DateTime
custom scalar specification, removed the range limit formin
andmax
values. - Processing IBM Sterling Transformation Extender maps with a binary transform action
- 10.5.0.1 - The support to process IBM Sterling Transformation Extender maps with a binary transform action is no longer included as a feature in Integration Module or B2B Module. If your existing configuration contains a processing rule that includes a binary transform action to process Transformation Extender maps, contact IBM Support. The support representative can grant you access to download and activate the new Transformation Extender Module. To validate whether you need this new module, export your complete configuration and search each domain configuration file for the tx-map command.
- A warning message when a gateway-peering instance uses the system default
- 10.5.0.1 - Any gateway-peering instance that does not use an explicit password raises a warning message in the DataPower GUI. By default, each gateway-peering instance uses the system default for the password alias. The use of the system default is classified as a security vulnerability (CVE-2022-31776).
- Transaction logging is now based on the last log action in the assembly
- 10.5.0.1 - At the end of the transaction, the API gateway updates the log according to the content type of the last log action in the assembly. Previously, when the assembly action was configured to gather only, the API gateway used the content type from the API definition.
- Internal representation of the authorization code
- 10.5.0.0 - The internal representation of the authorization code changed in the
10.0.4 update package, which applies to the entire 10.0.1.x LTS stream. Due to this change,
authorization codes do not work with earlier DataPower versions.Note: If a gateway-peering instance of the API security token service is configured to persist data across a restart, you must upgrade all members in the peer group to 10.5.x.x.
- Response to the REST
ViewCertificateDetails
request - 10.5.0.0 - The format of the JSON response changed for the REST
ViewCertificateDetails
request.- Current
-
"ViewCertificateDetails": "Operation completed.", "CryptoCertificate": { "CertificateObject": "cert-3", "Domain": "test", ...
- Earlier
-
"ViewCertificateDetails": {"value": "Operation completed."}, "CryptoCertificate": { "CertificateObject": {"value": "cert-3"}, "Domain": {"value": "test"}, ...
- Automatic buffering when message payloads are logged
- 10.5.0.0 - When message payloads are logged, buffering occurs even when message buffering is not enabled in the API definition.