Changed in the 10.5.x CD stream
The 10.5.x CD stream for IBM® DataPower® Gateway introduces the following value and behavioral changes.
Value changes
Since the previous long-term support (LTS) release, the following changes apply to values. These changes apply to the 10.5.0.5 or later fix packs.
Function area | What changed | Previous | Current |
---|---|---|---|
GUI login | 10.5.4 - Choice of preferred GUI. | Choice between WebGUI and the new UI | No choice |
Secure restore | 10.5.4 - MTM of secure backup system. | Property to specify MTM. | Obtain MTM from the backup manifest. |
User security assembly action | 10.5.4 - Maximum value when identity extraction uses a redirect | 600 | 6000 |
Probe settings | 10.5.3 - Metric, supported range, and default value for expiration of captured data. |
|
|
GUI login | 10.5.1 - The default selection for preferred GUI. | WebGUI | New UI |
SSH KEX algorithms | 10.5.1 - Default KEX algorithms | diffie-hellman-group14-sha1 as a default. |
diffie-hellman-group14-sha1 removed. |
Behavioral changes
Since the previous long-term support (LTS) release, the following changes apply to behavior.
These changes apply to the 10.5.0.5 or later fix packs.
- Access to the WebGUI
- 10.5.4 - You can no longer choose between logging in to the WebGUI or the new UI. When you log in, the new UI opens and you cannot switch to the WebGUI. If you must access the WebGUI because the new UI has a functional problem, change the browser URL from http://<hostname>:<port>/ui/<path> to http://<hostname>:<port>.
- Default SSH cipher suites and MAC algorithms
- 10.5.4 - Due to vulnerabilities, SSH profiles no longer have the following cipher suites and MAC
algorithms as default values.
- Cipher suites
-
chacha20-poly1305@openssh.com
- MAC algorithms
-
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
You can use the CLI to reset the cipher suites and MAC algorithms to use their defaults. After you enter the configuration mode for each SSH profile, use the following commands.- Reset cipher suites
-
# no ciphers
- Reset MAC algorithms
-
# no mac-alg
- Value of
X-Post-Body-In
header - 10.5.4 - The header value is now encoded. If the value is greater than or equal to 63537 characters, the data is truncated to 63536 characters.
- Object to access the memory status provider
- 10.5.3 - The
MemoryUsage
status object is obsolete and replaced by theMemoryUsage2
status object. The replacement object does not have theFreeMemory
data. This data is no longer used in any calculation for this status provider. - Accessing the probe
- 10.5.3 - Independent of the GUI, you can access the probe page with the search facility.
- In the WebGUI, the traditional probe is still a tab on the troubleshooting page.
- In the new UI, the new probe is no longer on the troubleshooting page.
- Detailed information in the memory status provider (show memory command)
- 10.5.2 - The calculations for memory usage (%) and used memory (KB) changed to report
accurately. If you use the data for either of these properties in scripts, you might need to modify
your scripts to account for this change. Without any change to your system, memory usage reports a
greater percentage.
- Memory usage calculation
- Now, the percentage of installed memory that is in use, which is
Used/Installed
. Previously, the percentage of total memory that was in use, which was(Total-Free)/Total
. - Used memory calculation
- Now, the amount of installed memory in KB minus the amount of available memory, which is
Installed-Available
. Previously, the amount of total memory in KB minus the amount of free memory, which wasTotal-Free
.
- Escape sequence and API paths
- 10.5.2 - Meta characters in API paths are automatically escaped. Therefore, remove the
\
character from any API path that uses this character for an escape sequence. - SSH version banner
- 10.5.1 - The version banner that the DataPower Gateway presents as an SSH
client changed to
DataPowerSSH_2.91
. - Supported SSH cipher suites, KEX algorithms, and MAC algorithms
- 10.5.1 - The following SSH cipher suites, KEX algorithms, and MAC algorithms are no longer
available and might impact SSH connections where the DataPower Gateway is an
SSH client or SSH server.
- Cipher suites
-
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
- KEX algorithms
-
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
- MAC algorithms
-
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
- Scope handling by third-party OAuth providers
- 10.5.1 - When token validation requirements are set to
200 OK + active:true
, validation requirements are strictly checked against response scopes in the response body. When the OAuth security requirement defines scopes that are not a subset of response scopes, the request is denied unless advanced scope checks are enabled. For more information, see Configuring a third-party product as the OAuth provider.