New in 10.6.x
The IBM® DataPower® Gateway 10.6.x offers the following new features and enhancements. Information about 10.6.0.1 and earlier fix packs is included.
For a list of resolved APARs, see Update packages for DataPower Gateway 10.6.x.
- New in 10.6.110.6.1 includes the following new features.
- Added adaptive mode to the analytics endpoint to control the size of analytics records based on memory usage
- Added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivity
- Added support for the sha256-rsa-MGF1 algorithm
- Added the Comments property to objects
- New in 10.6.0.1 and earlier fix packs10.6.0.1 includes all new features in 10.5.0.11 and earlier fix packs. 10.6.0.0 replaces the 10.5.4 continuous delivery (CD) release.
- Added support to the TLS server profile to control whether to require TLS peers to send the
close_notify
alert on shutdown - Added support to disable TLS renegotiation completely
- Added support for OpenTelemetry integration
- Added support for OIDC authentication to RBM
- Added support to run actions that are related to the probe without the need to access the GUI
- Enhanced GitOps integration
- Added support to the API gateway to configure an LDAP connection pool and flush its cache
- Added action and party that last modified an application or client key to API subscriber status
- Added support for more JSONata functions for use by assembly actions
- Added an extension function to verify whether an action in an assembly is an assembly action or a processing action
- Extended XSLT extensions that manage variables and message payload in JSON for custom XSLT processing by the API gateway
- Extended the GatewayScript context.reject() API to support a custom HTTP status code and reason phrase
- Added support to control which TLS profiles secure connections to retrieve WSDL files
- Added support to the TLS server profile to control whether to require TLS peers to send the
For more information about the new features, see the linked information.
10.6.1
The following information is a summary of the new features in 10.6.1.
- Added adaptive mode to the analytics endpoint to control the size of analytics records based on memory usage
- When you configure the analytics endpoint, you can specify whether you want to use adaptive mode
that dynamically controls the maximum size of analytics records. Adaptive mode helps to avoid
dropped analytics records and out-of-memory state. In adaptive mode, the following behavior occurs
based on memory usage.
- When the state reports as normal, the size of each analytics record is the defined maximum record size.
- When the state reports as low, the size of each analytics record is reduced to 4 KB.
- When the state reports as out of memory, no analytics records are queued.
- Added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivity
- When you configure an IBM MQ v9+ queue manager, you can modify the behavior of OCSP and CRL
checking for TLS connectivity. The default behavior for OCSP and CRL checks for TLS connectivity is
as follows. For more information, see Configuring an IBM MQ queue manager.
- Attempt an OCSP security check against the servers in the AuthorityInfoAccess (AIA) certificate extension.
- When the revocation status of a certificate cannot be determined from an OCSP server, the connection is closed with an error.
- Do not run a CDP revocation check against the servers in the CrlDistributionPoint (CDP) certificate extension.
- Attempt to load the configuration for certificate revocation from the CCDT file, and run the check as configured. If the CCDT file cannot be opened or the certificate cannot be validated, the MQCONN call fails.
- Added support for the sha256-rsa-MGF1 algorithm
- When you configure the sign action, you can specify the asymmetric sha256-rsa-MGF1 algorithm. When a message is signed with this algorithm, the verify action can verify this RSA-signed message.
- Added the Comments property to objects
- When you create of modify instances of the following crypto objects, you can specify the
Comments property.
- Certificate
- Firewall credentials
- Identification credentials
- Key
- Shared secret key
- Validation credentials
10.6.0.1 and earlier fix packs
The following information is a summary of the new features in 10.6.0.1.
- Added support to the TLS server profile to control whether to require TLS peers to send the
close_notify
alert on shutdown - When you configure a TLS server profile, you can control whether to require TLS peers to send
the
close_notify
alert on shutdown. Theclose_notify
alert at the end of a TLS handshake is mandatory. However, some peers do not send theclose_notify
alert, which abruptly ends the TLS connection. For more information, see Creating a TLS server profile. - Added support to disable TLS renegotiation completely
- When you configure a TLS profile, you can define the profile to disable TLS renegotiation completely. For more information, see TLS connections.
- Added support for OpenTelemetry integration
- On the DataPower Gateway, you can configure integration points for OpenTelemetry. This support is primarily for API Connect integration. For more information, see OpenTelemetry integration.
- Added support for OIDC authentication to RBM
- When you configure RBM settings, you can define OIDC as the authentication method. This authentication method securely connects to an OIDC identity endpoint to retrieve public keys for OIDC validation. For more information, see Defining RBM for OIDC authentication.
- Added support to run actions that are related to the probe without the need to access the GUI
- On the DataPower Gateway, you can use the commands in debug probe mode to run actions that are related to the probe. The probe is used to capture data for transactions that a service processes that you can use to help troubleshoot a problem. For more information, see Debug probe commands.
- Enhanced GitOps integration
-
- In the
default
domain, you can define GitOps variables. GitOps variables are the vector of global name-value pairs for use in GitOps templates. For more information, see Managing GitOps variables for GitOps templates. - While you are creating a GitOps template entry, you can test what the template entry does and whether it works as expected. For more information, see Managing GitOps templates.
- When you use GitOps, you can view the status for GitOps and GitOps template operations. These status providers provide the necessary details to help in troubleshooting. For more information, see Viewing status for GitOps and GitOps template operations.
- Added the global gitops-remove-template command to trigger the removal of a template from the Git repository that is configured in the GitOps object. For more information, see gitops-remove-template.
- In the
- Added support to the API gateway to configure an LDAP connection pool and flush its cache
- When you configure an API gateway, you can assign an LDAP connection pool to connect to the LDAP server. Each API gateway maintains a cache for its LDAP connection pool. For operational reasons, you might need to clear the data in the LDAP cache. For more information, see Configuring an API gateway.
- Added action and party that last modified an application or client key to API subscriber status
- When you view information about API subscribers, the data includes the action and party that last modified the application or client key. For more information, see Viewing shared storage for API subscribers.
- Added support for more JSONata functions for use by assembly actions
- When you use JSONata in assembly functions, you can now use the following functions from the
JSONata
Date/Time
andNumeric
function libraries.- Added from the JSONata
Date/Time
function library. For more information, see Supported JSONata Date/Time functions.$now()
$fromMillis()
$toMillis()
- Added from the JSONata
Numeric
function library. For more information, see Supported JSONata Numeric functions.$formatInteger()
$formatNumber()
$parseInteger()
- Added from the JSONata
- Added an extension function to verify whether an action in an assembly is an assembly action or a processing action
- When you define custom XSLT processing for an API gateway, you can use the
apigw:is-assembly-action()
extension function to verify whether the action in an assembly is an assembly action or a processing action. Returnstrue
when an assembly action. Otherwise, returnsfalse
when an assembly action. For more information, see apigw:is-assembly-action(). - Extended XSLT extensions that manage variables and message payload in JSON for custom XSLT processing by the API gateway
- When you create the stylesheet for an XSLT assembly action, the following XSLT extensions are
enhanced to support JSON variables and message payloads.
apigw:set-payload
extension element- Added the
jsonx2json
andparse-string
attributes. Thejsonx2json
attribute specifies whether to convert the payload from JSONx to a JSON object. Theparse-string
attribute specifies how to parse the payload. For more information, see apigw:set-payload. apigw:read-payload()
- Added the stringify parameter. This parameter specifies whether to read the payload as a string instead of an XML or JSON document. For more information, see apigw:read-payload().
apigw:set-variable
extension element- Added the
jsonx2json
andparse-string
attributes. Thejsonx2json
attribute specifies whether to convert the variable value from JSONx to a JSON object. Theparse-string
attribute specifies to parse and convert the variable value to a JSON object. For more information, see apigw:set-variable. apigw:get-variable()
extension function- Added the stringify parameter. This parameter specifies whether to get the variable value as a string instead of an XML or JSON document. For more information, see apigw:get-variable().
- Extended the GatewayScript context.reject() API to support a custom HTTP status code and reason phrase
- When you create a custom GatewayScript that uses the context.reject() API, you can add your own custom HTTP status code and reason phrase. For more information, see context.reject().
- Added support to control which TLS profiles secure connections to retrieve WSDL files
- When the URL to retrieve the file starts with
https://
, the retrieval uses thesystem-wsgw-management-loopback-ua
user agent in thedefault
domain. By default, this user agent uses thesystem-wsgw-management-loopback
TLS proxy profile, which is predefined and you cannot modify its cryptographic artifacts (profiles).As the TLS proxy profile is deprecated, you can modify the
system-wsgw-management-loopback-ua
user agent in thedefault
domain to modify the TLS profile policy to use TLS client profiles. When you modify the TLS profile policy, make sure that you delete the entry for the deprecated TLS proxy profile. For more information, see Adding a TLS profile policy.