Changed in the 10.5.x CD stream

The 10.5.x CD stream for IBM® DataPower® Gateway introduces the following value and behavioral changes.

Value changes

Since the previous long-term support (LTS) release, the following changes apply to values. These changes apply to the 10.5.0.5 or later fix packs.

Table 1. Value changes in 10.5.x CD stream
Function area What changed Previous Current
GUI login 10.5.4 - Choice of preferred GUI. Choice between WebGUI and the new UI No choice
Secure restore 10.5.4 - MTM of secure backup system. Property to specify MTM. Obtain MTM from the backup manifest.
User security assembly action 10.5.4 - Maximum value when identity extraction uses a redirect 600 6000
Probe settings 10.5.3 - Metric, supported range, and default value for expiration of captured data.
Metric
Minutes
Range
5 - 1440
Default value
60
Metric
Seconds
Range
60 - 86400
Default value
3600
GUI login 10.5.1 - The default selection for preferred GUI. WebGUI New UI
SSH KEX algorithms 10.5.1 - Default KEX algorithms diffie-hellman-group14-sha1 as a default. diffie-hellman-group14-sha1 removed.

Behavioral changes

Since the previous long-term support (LTS) release, the following changes apply to behavior. These changes apply to the 10.5.0.5 or later fix packs.
Access to the WebGUI
10.5.4 - You can no longer choose between logging in to the WebGUI or the new UI. When you log in, the new UI opens and you cannot switch to the WebGUI. If you must access the WebGUI because the new UI has a functional problem, change the browser URL from http://<hostname>:<port>/ui/<path> to http://<hostname>:<port>.
Default SSH cipher suites and MAC algorithms
10.5.4 - Due to vulnerabilities, SSH profiles no longer have the following cipher suites and MAC algorithms as default values.
Cipher suites
  • chacha20-poly1305@openssh.com
MAC algorithms
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha1-etm@openssh.com
  • umac-64-etm@openssh.com
  • umac-128-etm@openssh.com
You can use the CLI to reset the cipher suites and MAC algorithms to use their defaults. After you enter the configuration mode for each SSH profile, use the following commands.
Reset cipher suites
# no ciphers
Reset MAC algorithms
# no mac-alg
Value of X-Post-Body-In header
10.5.4 - The header value is now encoded. If the value is greater than or equal to 63537 characters, the data is truncated to 63536 characters.
Object to access the memory status provider
10.5.3 - The MemoryUsage status object is obsolete and replaced by the MemoryUsage2 status object. The replacement object does not have the FreeMemory data. This data is no longer used in any calculation for this status provider.
Accessing the probe
10.5.3 - Independent of the GUI, you can access the probe page with the search facility.
  • In the WebGUI, the traditional probe is still a tab on the troubleshooting page.
  • In the new UI, the new probe is no longer on the troubleshooting page.
In the WebGUI, the probe is still a tab on the troubleshooting page.
Detailed information in the memory status provider (show memory command)
10.5.2 - The calculations for memory usage (%) and used memory (KB) changed to report accurately. If you use the data for either of these properties in scripts, you might need to modify your scripts to account for this change. Without any change to your system, memory usage reports a greater percentage.
Memory usage calculation
Now, the percentage of installed memory that is in use, which is Used/Installed. Previously, the percentage of total memory that was in use, which was (Total-Free)/Total.
Used memory calculation
Now, the amount of installed memory in KB minus the amount of available memory, which is Installed-Available. Previously, the amount of total memory in KB minus the amount of free memory, which was Total-Free.
This change is also in the 10.5.0.7 fix pack.
Escape sequence and API paths
10.5.2 - Meta characters in API paths are automatically escaped. Therefore, remove the \ character from any API path that uses this character for an escape sequence.
SSH version banner
10.5.1 - The version banner that the DataPower Gateway presents as an SSH client changed to DataPowerSSH_2.91.
Supported SSH cipher suites, KEX algorithms, and MAC algorithms
10.5.1 - The following SSH cipher suites, KEX algorithms, and MAC algorithms are no longer available and might impact SSH connections where the DataPower Gateway is an SSH client or SSH server.
Cipher suites
  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • arcfour
  • arcfour128
  • arcfour256
  • blowfish-cbc
  • cast128-cbc
  • rijndael-cbc@lysator.liu.se
KEX algorithms
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha1
MAC algorithms
  • hmac-sha1-96
  • hmac-md5
  • hmac-md5-96
  • hmac-ripemd160
  • hmac-ripemd160@openssh.com
  • hmac-sha1-96-etm@openssh.com
  • hmac-md5-etm@openssh.com
  • hmac-md5-96-etm@openssh.com
  • hmac-ripemd160-etm@openssh.com
Scope handling by third-party OAuth providers
10.5.1 - When token validation requirements are set to 200 OK + active:true, validation requirements are strictly checked against response scopes in the response body. When the OAuth security requirement defines scopes that are not a subset of response scopes, the request is denied unless advanced scope checks are enabled. For more information, see Configuring a third-party product as the OAuth provider.