Changed in 10.6.x
IBM® DataPower® Gateway 10.6.x introduces the following value and behavioral changes. Information about 10.6.0.1 and earlier fix packs is included.
Library upgrade to support TLS
10.6.0.0 includes an updated library to support TLS and cryptographic operations. The updated crypto library improves security and usability, but the added complexity of this implementation comes with a performance cost. This update is needed to maintain the proper security posture, which includes CVE updates.
Value changes
In the 10.6.x continuous delivery (CD) release, the following changes apply to values. These changes apply to 10.6.0.0 and later fix packs and to 10.6.1 and later update packages.
Function area | What changed | Previous | Current |
---|---|---|---|
Password aliases | 10.6.0.0 - Maximum character length of plaintext and encrypted password | 127 | 512 |
GitOps templates | 10.6.0.0 - Label text |
|
|
Behavioral changes
In the 10.6.x CD release, the following changes apply to behavior. These changes apply to 10.6.0.0 and later fix packs and to 10.6.1 and later update packages.
- API routing to determine which API to process
- 10.6.0.1 - The rules changed when the API gateway runs the routing API action to match which API to process. For more information, see Routing API action.
- Default TLS server profile to secure connections from clients
- 10.6.0.0 - The default TLS server profile that secures connections from clients to any
management interface supports only TLS 1.2 and TLS 1.3 and the following cipher suites in preference order.
AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE_RSA_WITH_AES_256_GCM_SHA384
Instead of using the built-in TLS server profile that uses a DataPower self-signed certificate, use a custom TLS server profile or TLS SNI server profile to secure connections from clients. For more information, see Custom TLS profile for management access.
- Error message when remote peer abruptly closes a TLS connection without sending the
close_notify
alert - 10.6.0.0 - The
close_notify
alert at the end of a TLS handshake is mandatory. However, some peers do not send theclose_notify
alert, which abruptly ends the TLS connection. When a TLS client abruptly closes a connection, message 0x8120002f is logged with TLS error 0A000126. This TLS library error indicates an unexpected EOF.