Known limitations and restrictions

Known limitations and restrictions exist in 10.6.x.

Known limitations
Restrictions

Known limitations

The following table lists the known limitations. When a limitation is removed, that row contains the release about when resolved.

Table 1. Known limitations
Limitation	When resolved
GitOps integration is unsupported in the `default` domain.
When you create an instance of a crypto key or certificate, the log contains the error message `0x83a0001e` erroneously. You can ignore this error message. For a key `Missing CLI alias in CryptoKey, PasswordAlias.` For a certificate `Missing CLI alias in CryptoCertificate, PasswordAlias.`
FIPS cryptographic mode is unsupported. The DataPower® `main` task always operates in permissive mode. Even when configured in FIPS mode before an upgrade, the upgrade changes the mode to permissive.
To secure connections to an Oracle data source, the following TLS protocol versions are supported. The default protocol version is TLSv1.2. You can override the protocol version with the `CryptoProtocolVersion` configuration parameter. For ODBC, TLSv1.2 and TLSv1.3. For JDBC, TLSv1.2. To specify TLSv1.2 and TLSv1.3, specify `TLSv1.2,TLSv1.3` as the value for the `CryptoProtocolVersion` configuration parameter.
If you cannot log in to a tenant after a secure restore operation or running the reinitialize command, complete the following steps on the landlord. Access the configuration that defines the tenant. Change Administrative state to Off, and click Apply. Change Administrative state to On, and click Apply.
When you create the gateway-peering instance for API rate limits and the peering instance is in cluster mode, the following restrictions and limitations apply. These restrictions and limitations do not apply when the peering instance is in stand-alone or peer mode. The peering instance must contain at least six nodes, where three nodes must be primary nodes. After the creation of each node, wait until the cluster auto-configuration operation completes. When complete, you can create the next node in the peering instance. You can use the following artifacts to verify the completion of the operation. View the logs. View the information in the gateway-peering cluster status provider.
If the rate limit configuration is not enabled, the following behavior occurs. All subsequent scale limits generate errors. The transaction fails.
TLSv1.3 is unsupported in the TLS client profile for the analytics endpoint.
Although you configured a proxy policy for the API gateway, the proxy policy does not apply to the analytics endpoint if it uses the Kafka protocol. The proxy policy is applied to the analytics endpoint only when it uses the HTTP or HTTPS protocol.

Known limitations to the API gateway support for GraphQL exist. For this list, see GraphQL limitations.

Restrictions

The following permanent restrictions apply.

Although the volume for the RAID array appears as a subdirectory on the local: directory, it is not a subdirectory. Therefore, GitOps integration does not operate against files that you store in the RAID array.
SSLv3 is unsupported in the TLS profiles for the API Connect gateway service.
Due to increased security requirements, the API Connect gateway service fails to come up when PKCS #12 key-certificate pairs contain unsupported algorithms. This restriction applies to only noncontainer gateways to use a PKCS #12 key-certificate pair with unsupported algorithms. In this case, the log file contains the following message.
[0x88e00011][apic-gw-service][error] apic-gw-service(default): API Connect Gateway Service caught unhandled rejection: Error: All sentinels are unreachable. Retrying from scratch after 10ms. Last error: unsupported

To resolve, create a new key-certificate pair and update the configuration of the API Connect gateway service. You can create this key-certificate pair with the DataPower crypto tool or through a third-party tool, such as OpenSSLv3. You cannot use OpenSSLv1 because the key-certificate pair contains these unsupported algorithms.