New in 10.6.x

The IBM® DataPower® Gateway 10.6.x offers the following new features and enhancements. Information about 10.6.0.1 and earlier fix packs is included.

For a list of resolved APARs, see Update packages for DataPower Gateway 10.6.x.

New in 10.6.1
10.6.1 includes the following new features.
- Added adaptive mode to the analytics endpoint to control the size of analytics records based on memory usage
- Added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivity
- Added support for the sha256-rsa-MGF1 algorithm
- Added the Comments property to objects
New in 10.6.0.1 and earlier fix packs
10.6.0.1 includes all new features in 10.5.0.11 and earlier fix packs. 10.6.0.0 replaces the 10.5.4 continuous delivery (CD) release.
- Added support to the TLS server profile to control whether to require TLS peers to send the close_notify alert on shutdown
- Added support to disable TLS renegotiation completely
- Added support for OpenTelemetry integration
- Added support for OIDC authentication to RBM
- Added support to run actions that are related to the probe without the need to access the GUI
- Enhanced GitOps integration
- Added support to the API gateway to configure an LDAP connection pool and flush its cache
- Added action and party that last modified an application or client key to API subscriber status
- Added support for more JSONata functions for use by assembly actions
- Added an extension function to verify whether an action in an assembly is an assembly action or a processing action
- Extended XSLT extensions that manage variables and message payload in JSON for custom XSLT processing by the API gateway
- Extended the GatewayScript context.reject() API to support a custom HTTP status code and reason phrase
- Added support to control which TLS profiles secure connections to retrieve WSDL files

For more information about the new features, see the linked information.

10.6.1

The following information is a summary of the new features in 10.6.1.

Added adaptive mode to the analytics endpoint to control the size of analytics records based on memory usage

When you configure the analytics endpoint, you can specify whether you want to use adaptive mode that dynamically controls the maximum size of analytics records. Adaptive mode helps to avoid dropped analytics records and out-of-memory state. In adaptive mode, the following behavior occurs based on memory usage.

When the state reports as normal, the size of each analytics record is the defined maximum record size.
When the state reports as low, the size of each analytics record is reduced to 4 KB.
When the state reports as out of memory, no analytics records are queued.

Added support to IBM MQ v9+ queue managers to manage OCSP and CRL checking for TLS connectivity

When you configure an IBM MQ v9+ queue manager, you can modify the behavior of OCSP and CRL checking for TLS connectivity. The default behavior for OCSP and CRL checks for TLS connectivity is as follows. For more information, see Configuring an IBM MQ queue manager.

Attempt an OCSP security check against the servers in the AuthorityInfoAccess (AIA) certificate extension.
When the revocation status of a certificate cannot be determined from an OCSP server, the connection is closed with an error.
Do not run a CDP revocation check against the servers in the CrlDistributionPoint (CDP) certificate extension.
Attempt to load the configuration for certificate revocation from the CCDT file, and run the check as configured. If the CCDT file cannot be opened or the certificate cannot be validated, the MQCONN call fails.

Added support for the sha256-rsa-MGF1 algorithm

When you configure the sign action, you can specify the asymmetric sha256-rsa-MGF1 algorithm. When a message is signed with this algorithm, the verify action can verify this RSA-signed message.

Added the Comments property to objects

When you create of modify instances of the following crypto objects, you can specify the Comments property.

Certificate
Firewall credentials
Identification credentials
Key
Shared secret key
Validation credentials

When you view the following status providers, the output contains the data from the Comments property of the listed objects.

The DNS static hosts status provider and the show static-hosts command
The Routing table status provider and the show route command

10.6.0.1 and earlier fix packs

The following information is a summary of the new features in 10.6.0.1.

Added support to the TLS server profile to control whether to require TLS peers to send the close_notify alert on shutdown

When you configure a TLS server profile, you can control whether to require TLS peers to send the close_notify alert on shutdown. The close_notify alert at the end of a TLS handshake is mandatory. However, some peers do not send the close_notify alert, which abruptly ends the TLS connection. For more information, see Creating a TLS server profile.

Added support to disable TLS renegotiation completely

When you configure a TLS profile, you can define the profile to disable TLS renegotiation completely. For more information, see TLS connections.

Added support for OpenTelemetry integration

On the DataPower Gateway, you can configure integration points for OpenTelemetry. This support is primarily for API Connect integration. For more information, see OpenTelemetry integration.

Added support for OIDC authentication to RBM

When you configure RBM settings, you can define OIDC as the authentication method. This authentication method securely connects to an OIDC identity endpoint to retrieve public keys for OIDC validation. For more information, see Defining RBM for OIDC authentication.

Added support to run actions that are related to the probe without the need to access the GUI

On the DataPower Gateway, you can use the commands in debug probe mode to run actions that are related to the probe. The probe is used to capture data for transactions that a service processes that you can use to help troubleshoot a problem. For more information, see Debug probe commands.

Enhanced GitOps integration

In the default domain, you can define GitOps variables. GitOps variables are the vector of global name-value pairs for use in GitOps templates. For more information, see Managing GitOps variables for GitOps templates.
While you are creating a GitOps template entry, you can test what the template entry does and whether it works as expected. For more information, see Managing GitOps templates.
When you use GitOps, you can view the status for GitOps and GitOps template operations. These status providers provide the necessary details to help in troubleshooting. For more information, see Viewing status for GitOps and GitOps template operations.
Added the global gitops-remove-template command to trigger the removal of a template from the Git repository that is configured in the GitOps object. For more information, see gitops-remove-template.

Added support to the API gateway to configure an LDAP connection pool and flush its cache

When you configure an API gateway, you can assign an LDAP connection pool to connect to the LDAP server. Each API gateway maintains a cache for its LDAP connection pool. For operational reasons, you might need to clear the data in the LDAP cache. For more information, see Configuring an API gateway.

Added action and party that last modified an application or client key to API subscriber status

When you view information about API subscribers, the data includes the action and party that last modified the application or client key. For more information, see Viewing shared storage for API subscribers.

Added support for more JSONata functions for use by assembly actions

When you use JSONata in assembly functions, you can now use the following functions from the JSONata Date/Time and Numeric function libraries.

Added from the JSONata Date/Time function library. For more information, see Supported JSONata Date/Time functions.
- $now()
- $fromMillis()
- $toMillis()
Added from the JSONata Numeric function library. For more information, see Supported JSONata Numeric functions.
- $formatInteger()
- $formatNumber()
- $parseInteger()

Added an extension function to verify whether an action in an assembly is an assembly action or a processing action

When you define custom XSLT processing for an API gateway, you can use the apigw:is-assembly-action() extension function to verify whether the action in an assembly is an assembly action or a processing action. Returns true when an assembly action. Otherwise, returns false when an assembly action. For more information, see apigw:is-assembly-action().

Extended XSLT extensions that manage variables and message payload in JSON for custom XSLT processing by the API gateway

When you create the stylesheet for an XSLT assembly action, the following XSLT extensions are enhanced to support JSON variables and message payloads.

apigw:set-payload extension element: Added the jsonx2json and parse-string attributes. The jsonx2json attribute specifies whether to convert the payload from JSONx to a JSON object. The parse-string attribute specifies how to parse the payload. For more information, see apigw:set-payload.
apigw:read-payload(): Added the stringify parameter. This parameter specifies whether to read the payload as a string instead of an XML or JSON document. For more information, see apigw:read-payload().
apigw:set-variable extension element: Added the jsonx2json and parse-string attributes. The jsonx2json attribute specifies whether to convert the variable value from JSONx to a JSON object. The parse-string attribute specifies to parse and convert the variable value to a JSON object. For more information, see apigw:set-variable.
apigw:get-variable() extension function: Added the stringify parameter. This parameter specifies whether to get the variable value as a string instead of an XML or JSON document. For more information, see apigw:get-variable().

Extended the GatewayScript context.reject() API to support a custom HTTP status code and reason phrase

When you create a custom GatewayScript that uses the context.reject() API, you can add your own custom HTTP status code and reason phrase. For more information, see context.reject().

Added support to control which TLS profiles secure connections to retrieve WSDL files

When the URL to retrieve the file starts with https://, the retrieval uses the system-wsgw-management-loopback-ua user agent in the default domain. By default, this user agent uses the system-wsgw-management-loopback TLS proxy profile, which is predefined and you cannot modify its cryptographic artifacts (profiles).

As the TLS proxy profile is deprecated, you can modify the system-wsgw-management-loopback-ua user agent in the default domain to modify the TLS profile policy to use TLS client profiles. When you modify the TLS profile policy, make sure that you delete the entry for the deprecated TLS proxy profile. For more information, see Adding a TLS profile policy.