Changed in 10.5.0

IBM® DataPower® Gateway 10.5.0 introduces the following value and behavioral changes.

Value changes

Since the previous long-term support (LTS) release, the following value changes apply.

Table 1. Value changes in 10.5.0
Function area What changed Previous Current
Password aliases 10.5.0.12 - Maximum character length of plaintext and encrypted password 127 512
Probe settings 10.5.0.9 - Metric, supported range, and default value for expiration of captured data.
Metric
Minutes
Range
5 - 1440
Default value
60
Metric
Seconds
Range
60 - 86400
Default value
3600
GUI 10.5.0.3 - Object names in GUI When you used the GUI search to find an object class by name, the following objects started with the word Crypto.
  • Crypto certificate
  • Crypto certificate monitor
  • Crypto identification credentials
  • Crypto key
  • Crypto shared secret key
  • Crypto validation credentials
 When you use the GUI search to find an object class by name, these objects no longer start with the word Crypto.
GUI 10.5.0.0 - Action name in GUI. Archive/purge transactions Purge B2B transaction data

Behavioral changes

Since the previous long-term support (LTS) release, the following behavior changes apply. These changes apply to the 10.0.1.5 or later fix packs.
Default SSH cipher suites and MAC algorithms
10.5.0.11 - Due to vulnerabilities, SSH profiles no longer have the following cipher suites and MAC algorithms as default values.
Cipher suites
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
  • rijndael-cbc@lysator.liu.se
MAC algorithms
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • umac-64-etm@openssh.com
  • umac-128-etm@openssh.com
Value of X-Post-Body-In header
10.5.0.10 - The header value is now encoded. If the value is greater than or equal to 63537 characters, the data is truncated to 63536 characters.
Detailed information in the memory status provider (show memory command)
10.5.0.7 - The calculations for memory usage (%) and used memory (KB) changed. If you use the data for either of these properties in scripts, you might need to modify your scripts to account for this change. Without any change to your system, memory usage reports a greater percentage.
Memory usage calculation
Now, the percentage of installed memory that is in use, which is Used/Installed. Previously, the percentage of total memory that was in use, which was (Total-Free)/Total.
Used memory calculation
Now, the amount of installed memory in KB minus the amount of available memory, which is Installed-Available. Previously, the amount of total memory in KB minus the amount of free memory, which was Total-Free.
Escape sequence and API paths
10.5.0.6 - Meta characters in API paths are automatically escaped. Therefore, remove the \ character from any API path that uses this character for an escape sequence.
Scope handling by third-party OAuth providers
10.5.0.6 - When token validation requirements are set to 200 OK + active:true, validation requirements are strictly checked against response scopes in the response body. When the OAuth security requirement defines scopes that are not a subset of response scopes, the request is denied unless advanced scope checks are enabled. For more information, see Configuring a third-party product as the OAuth provider.
Disable all hardware crypto features on a tenant.
10.5.0.3 - When you configured a tenant on an HSM enabled appliance, you no longer need to disable all hardware crypto features on a tenant.
Default cipher suites for new TLS client and server profiles.
10.5.0.3 - When you create a TLS client or server profile, the following suites are no longer defined as default cipher suites.
DHE_DSS_WITH_AES_256_GCM_SHA384
DHE_DSS_WITH_AES_256_CBC_SHA256
DHE_DSS_WITH_AES_256_CBC_SHA
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA
DHE_DSS_WITH_AES_128_GCM_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA
This change does not affect existing TLS client and server profiles. Review your TLS client and server profiles to evaluate whether your security requirements for TLS connections require these cipher suites. For more information, see the documentation for the following commands.
  • TLS client profile ciphers command.
  • TLS server profile ciphers command.
Customizing ranges in DateTime custom scalars
10.5.0.2 - To comply with the most recent GraphQL DateTime custom scalar specification, removed the range limit for min and max values.
Processing IBM Sterling Transformation Extender maps with a binary transform action
10.5.0.1 - The support to process IBM Sterling Transformation Extender maps with a binary transform action is no longer included as a feature in Integration Module or B2B Module. If your existing configuration contains a processing rule that includes a binary transform action to process Transformation Extender maps, contact IBM Support. The support representative can grant you access to download and activate the new Transformation Extender Module. To validate whether you need this new module, export your complete configuration and search each domain configuration file for the tx-map command.
A warning message when a gateway-peering instance uses the system default
10.5.0.1 - Any gateway-peering instance that does not use an explicit password raises a warning message in the DataPower GUI. By default, each gateway-peering instance uses the system default for the password alias. The use of the system default is classified as a security vulnerability (CVE-2022-31776).
Transaction logging is now based on the last log action in the assembly
10.5.0.1 - At the end of the transaction, the API gateway updates the log according to the content type of the last log action in the assembly. Previously, when the assembly action was configured to gather only, the API gateway used the content type from the API definition.
Internal representation of the authorization code
10.5.0.0 - The internal representation of the authorization code changed in the 10.0.4 update package, which applies to the entire 10.0.1.x LTS stream. Due to this change, authorization codes do not work with earlier DataPower versions.
Note: If a gateway-peering instance of the API security token service is configured to persist data across a restart, you must upgrade all members in the peer group to 10.5.x.x.
Response to the REST ViewCertificateDetails request
10.5.0.0 - The format of the JSON response changed for the REST ViewCertificateDetails request.
Current
"ViewCertificateDetails": "Operation completed.",
  "CryptoCertificate": {
    "CertificateObject": "cert-3",
    "Domain": "test",
    ...
Earlier
"ViewCertificateDetails": {"value": "Operation completed."},
  "CryptoCertificate": {
    "CertificateObject": {"value": "cert-3"},
    "Domain": {"value": "test"},
    ...
Automatic buffering when message payloads are logged
10.5.0.0 - When message payloads are logged, buffering occurs even when message buffering is not enabled in the API definition.