TIBCO Cloud API Management Release Notes

April 23, 2024

Closed Issue

Change in Functionality 

• Able to add/select a subdomain value while creating new API Definition using Import URI or Import file options.

April 2, 2024

Closed Issue

• WA-13161 - The V3 call gives null response for endpoint "updated"&"created".
• EIN-10108 - Resolved the issue where Mesh-based transformation causes Intemittent 500s+NPEs.

Change in Functionality 

• Have an API to pull the response filters used on a given plan and all of its methods.

March 12, 2024

Closed Issue

• WA-13520 - Resolved the issue for misconfigured attributes for the developer page.

February 20, 2024

Change in Functionality 

• Able to set PackageKey expiry on the Plan level.
• The SAML certificate is  updated in the Prod Environment.
• The SAML certificate is  updated in non-prod Environment.

January 23, 2024

Closed Issue

• WA-13375 - Resolved the issue for the outdated links on CAPIM Control Center / Additional Help section.
• WA-13102 - Resolved the issue where the incorrect curl is generated via APIM swagger.
• WA-13508 - Resolved the issue where the TIBCO Event Trigger Notification Calls to KLM failed with 403.
• WA-13084 - Resolved the issue where the save buttons were not working when you try to create new interactive documentation.
• WA-13249 - Resolved the issue where the multiple servers in the OAS are not working as variable.

November 14, 2023

Closed Issue

• WA-13333 - Resolved the issue where the  endpoints with path parameters conflict with themselves when the parameters are renamed.
• EIN-11502 - Resolved the issue where a valid request for a deleted path returned 596.

Change in Functionality 

• Able to set empty value to "Your Public Traffic Manager Domain" for new endpoints.
• Able to get the hourly usage data for the package key using v3 API.

November 7, 2023

Closed Issue 

• WA-13312 - Resolved an intermittent issue where JavaScript in Content Pages was not working.
• WA-12628 - Streamlined notification process for whitelisting client domains for improved turnaround time.

Change in functionality 

• Added ability to  disable the developer email notification for new package key creation.
• Resolved an issue where an error occurred while calling private endpoints with multiple paths.

October 31, 2023

Closed Issues

• WA-13201 - Resolved the issue where the page 4 of the package keys page were not loading data.
• WA-12751 - Resolved the issue where the unexpected additional route occurred in Load Balancing when creating new endpoint.

October 17, 2023

Closed Issues Change

• WA-13155 - Resolved the issue where the Mashery v3 API content-type response header is incorrect for error conditions.
• WA-12832 - Resolved the issue where the notifications are not enabled during V3 Package create event when notifyAdminEmails are set.
• WA-13306 - Resolved the issue where the Terms of Service and Privacy Policy links were incorrect on the member registration page.
• WA-7049 - Resolved the issue where the External Oauth server invocation for access token fails form I/O docs.

Change in Functionality

• Implemented improved user logging and tracking in Control Center. 

October 10, 2023

Closed Issues

• EIN-11518 - Resolved an issue where the Interactive documentation upload gave 'A system error has occurred while processing your request'.

September 12, 2023

Closed Issues

• WA-12932 - Resolved an issue where XSS can execute following Application registration when specific payloads are provided.
• WA-12867 - Resolved an issue where a call to return Package Keys responds with an Integer-Id instead of an UUID.
• EIN-11410 - Resolved an error handling issue where a request for a deleted endpoint is accepted rather than rejected.

Change in Functionality

• Change to updated Package Key search to display packages in alphabetical order

August 22, 2023

Closed Issues

• WA-13137- Resolved an issue in the service mesh where PostService was not able to set a PublicEndpointPath.

August 8, 2023

Closed Issues

• WA-13805 - Audit History logs now provide more granular detail regarding changes to a specific plan..

• EIN-10724 - Resolved an issue where a deleted/disabled key continues to work while using HTTP Basic Authentication Connector for SAAS.

August 1, 2023

Closed Issues

• WA-13185 - Resolved an issue where a user could not re-enable a package key previously disabled.
• WA-13186 - Resolved an issue where audit logs did not record disabled member status.

July 25, 2023

Change in Functionality

• Templates for Control Center and Developer Portal notifications for new member registration are now consistent.

July 4, 2023

Closed Issues

• WA-13139 - Resolved the issue where V3 API call fails when Mesh endpoint is in a different region.

Change in Functionality

• Clients can now create trial API/MAPI keys that automatically expire after a defined period of time.

June 27, 2023

Closed Issues

• EIN-10655- Resolved an error handling issue where a request for a deleted endpoint is accepted rather than rejected.
• EIN-11057  - Resolved an error handling issue where a request for a deleted endpoint is accepted rather than rejected.

June 20, 2023

Change in Functionality

• Resolved the issue where V3 API call fails when Mesh endpoint is in a different region.

May 30, 2023

Closed Issues

• EIN-10861 -Resolved the issue where the backend slowness was resulting in socket exhaustion across the EU SNI Stack.

Change in Functionality

• Package keys that automatically expire are automatically deleted, and Traffic Manager will return a 403 Developer Inactive message

May 23, 2023

Change in Functionality

• Added ability to allow values less than 60 seconds for Cache TTL. 

• Added the provision to communicate SSL certificate expiry through Admin Dashboard.

May 16, 2023

Closed Issues

• WA-12772 - Resolved the encoding issue of the feedback form.
• WA-12964 - Resolved the issue related to LABEL_EXPIRES field explanation.

Change in Functionality

• Areas can now optionally implement a variety of data retention and anonymization policies.

March 28, 2023

Change in Functionality

• Added configuration option to restrict Organization Administrators from adding, editing, or deleting applications outside of their assign role.  TIBCO Support must be contacted to enable feature.

March 9, 2023 

March 7, 2023

Closed Issues

• WA-12494 -  IllegalStateException error seen when deleting an API created through Swagger, and recreating the API using the same Swagger.
• WA-12583 - Custom developer email notification template was not being applied even though a new API key was issued.

Change in Functionality

• The Notification Email that is sent to Administrators is now editable.
• When automating API publishing within a CI/CD pipeline, users now have access to manage APIs within TIBCO Cloud API Management via the Platform API created within TIBCO Cloud (TCI, BW, etc.). Also, users are now able to analyze available endpoints, paths and methods through TIBCO Cloud Mesh.

February 28, 2023

Closed Issues

• EIN-10456 -Resolved a URL routing issue, for a specific call scenario, during call transformation.

Change in Functionality

• Users can now create Admin-specific email templates for Package Key notifications.

February 21, 2023

Closed Issues

• EIN-10181 -Resolved an issue where the X-Mashery-Message-ID header failed to propagate during call transformation.

February 14, 2023

Closed Issues

• WA-12417 - Resolve an issue where a disabled user's keys remained active.
• WA-12556 -Introduced an enhancement to include the entire payload on package key deletion events, similar to package key creation events.

January 31, 2023

Closed Issues

• EIN-10501 - Resolved issue where the backend slowness was resulting in socket exhaustion across the EU SNI Stack.
• EIN-10503 - Failsafe set for an area triggered 503 Service Unavailable errors for other areas.

January 24, 2023

Closed Issues

• WA-12562 - Resolved issue where My Account - Appplications page still had keys data displayed.

January 10, 2023

Closed Issues

• WA-12662 - Resolved an issue where packageKey couldn't call a particular endpoint.
• WA-12595 - There are consistent counts on Client Usage Report now.

November 01, 2022

Change in Functionality

• Added ability to disable email notifications when a new application, key, or user is created.

Closed Issues

• WA-12432 - Resolved an issue where the Username error notification is visible only if we have passed through the Captcha verification.

October 18, 2022

Change in Functionality

• Added ability to mask API Keys and Secrets within Developer Portal

Closed Issues

• WA-12114 - Unexpected error when attempting to delete organizations with APIs and Packages has now been fixed.
• WA-12136 - The Organization of an API can now be changed to Area Level in Untethered Cloud API Management Local Edition.

October 11, 2022

Change in Functionality

• Administrators are now able to generate reports identifying client utilization of a given endpoint.

Closed Issues

• WA-12425 -Resolved an issue where seconds to attempt initial connection to endpoint cannot be set to more than 7 seconds.
• WA-12453 -Resolved I/O Docs vulnerability issue.

October 4, 2022

Closed Issues

• WA-12493 -Resolved an issue, when transforming an OAS 3.0 Swagger payload via API, where specified custom ports were not included in resulting APIM definition.

September 20, 2022

Change in Functionality

• Added support for reassignment of sub-organizations (to Parent orgs)

Closed Issues

• WA-12447 -Resolved an issue that prevented applications from moving across users.
• WA-12460 -Enhanced error logging in flows where application ownership is changed.
• WA-12504 -MARK API for POST/application now correctly supports validation for "id" field.

September 13, 2022

Closed Issues

• EIN-9570 - Resolved an issue where specific forwarded headers were missing in authentication calls.

September 6, 2022

Change in Functionality

• You can now detect if the last package key is deleted in the delete package key event.

Closed Issues

• WA-12107 - Resolved an issue where applications have is_packaged set to false even though there are package_keys assigned.
• WA-12470 - Resolved an issue where IODocs default option didn't work.
• WA-12442 - Developer portal issue.

July 26, 2022

Closed Issues

• WA-12400 - Resolved scenario where users were unable to clone endpoints.
• WA-12396 - Resolved issue where character-specific changes to endpoints could not be made.

Changes in Functionality

• When deleting or removing a domain from an area, and an error is given, service details are now added with the error.

July 12, 2022

Change in Functionality

• Enhanced user experience in Developer Portal by improving accessibility and searchability of API Documentation.
• Email notifications now occur for the creation of new user/package keys via the V3 API.
• Session timeout behavior has been enhanced to improve user experience and prevent data loss.

June 28, 2022

Closed Issue

• EIN-9643 - Introduced infrastructure improvements to decrease data synchronization latency and quicken data accessibility.

June 21, 2022

Closed Issues

• WA-12301 - Resolved a scenario where erroneous "Maximum limit reached" notifications are presented when creating new API definitions in the Organization.
• WA-12267 - Resolved an issue where API/endpoints were responding unexpectedly to specific package/plan configurations.

June 07, 2022

Closed Issue

• WA-6834 - Eliminated erroneous prompts when adding API Key inputs on the Developer Portal.

May 24, 2022

Change in Functionality

• Enabled an enhanced theme on the Developer Portal for improved user experience.

Closed Issues

• WA-12243/WA-12144 - Resolved an issue where the API application threw an error while adding API endpoints to a package/plan.
• WA-12013 - Allow toggle to deactivate "autocomplete" browser functionality on the DevPortal login.
• WA-11656 - Resolved "duplicate entry" errors when adding endpoints to a plan.
• WA-10472 - Unable to update the Plan Designer.

May 10, 2022

Change in Functionality

• Updated response code for the JWT authenticator when an invalid token is passed in the API call.

Closed Issues

• WA-12218 - The Portal Setup documentation link, API Management Customization Documentation, has been fixed.
• EIN-9612 - Resolved an issue where the REST > SOAP connector failed to render the correct content hierarchy in SOAPBody.

April 26, 2022

New Feature

• Introducing a new optional query parameter, (record_offset), for MARK (Members, Applications, Roles, Keys) objects. More information can be found here and here.

Closed Issue

• WA-12268 - Resolved an issue where API/endpoints were responding unexpectedly to specific package/plan configurations.

April 19, 2022

Closed Issues

• WA-12252 - Addressed a scenario where inactive plans could not be accessed, deleted, or re-enabled.
• EIN-8908 - Resolved an issue where a SOAP endpoint WSDL retrieval request updated only the hostname and not the URI/path.

April 12, 2022

Changes in Functionality

• Implemented health checks of APIs for "ptl" and "api-v2" workers to resolve sporadic permission-based errors.
• Resolved a processing issue where the lighttpd server became destabilized due to lighttpd error logs.
• Service Endpoint type is now displayed as "standard" or "token" for GET Service definition endpoints on package/plan level.
• Enhanced DevPortal login experience to include richer security configurability options.

April 05, 2022

Change in Functionality

• Resolved an issue where token endpoints were responding unexpectedly to 'OPTIONS' (preflight) requests.

Closed Issues

• EIN-9512 - Resolved an issue where creating tokens without an Origin header, using the token endpoint (V3 API), responded unexpectedly.
• EIN-9506 - Resolved an issue where CORS-enabled endpoints were responding unexpectedly to preflight requests.
• EIN-8767 - Resolved authentication error of API Key in request body for ?Content-Type: application/json?.

March 22, 2022

New Feature

• Added visibility of functionality for plan/package EAVs.

Changes in Functionality

• Redesigned Plan Designer page by separately sorting in-use API endpoints and methods for better user experience.
• Improved functionality by allowing propagation of rate limits from the plan/key level to the method level on existing endpoints.
• Added support for custom error codes.

Closed Issues

• WA-12119 - Resolved a sporadic response inconsistency in V3 API (GET) invocation.
• WA-12055 - Increased the number of visible organizations within User Access configuration.
• WA-11117 - Resolved an error where a deleted endpoint was displayed as ?active? in the plan_endpoints table database.
• EIN-9403 - Addressed a scenario where limit values at the PackageKey level were not honored when Plan level limits were unlimited/different.
• EIN-8675/EIN-7846 - Resolved Memcached inconsistencies after configuration changes.

March 08, 2022

Changes in Functionality

• Removed restriction to add EAVs for packages and plans.
• API Definitions on the Plan Designer are now sorted and displayed for improved user experience.
• Improved GET calls retrieving all package keys accessible for a plan.
• Resolved an inconsistency by adding a "stop on error" configurable boolean field on the Call Transformations page.
• Improved discovery of packages linked to specific API definition endpoints.

March 01, 2022

New Feature

• Improved readability of functionality for individual EAVs in the Control Center.

Changes in Functionality

• Added a date filter to V3 APIs for improved user experience.

Closed Issues

• WA-12050 - Resolved an inconsistency identified between User Package Keys and Applications.
• WA-12068 - Updated package ids for existing keys having incorrect package/plan combination.

February 15, 2022

Closed Issue

• EIN-9198 - Resolved Null Pointer exception error after SSL handshake.

February 08, 2022

Changes in Functionality

• Clarified error response in scenarios where package key update fails.

Closed Issues

• WA-12070 - Resolved an issue where the Plan Designer page didn't load for any packages.
• WA-12010 - Resolved an issue where endpoint reversion was not completing successfully.
• EIN-6001 - Addressed a scenario where API Management sync displayed Turkish time zone instead of UTC or user timezone.

February 01, 2022

Closed Issues

• WA-12008 - Addressed a scenario where any low-privileged user was able to issue SQL queries to access sensitive information.
• WA-11955 - Addressed an issue where a new/cloned endpoint didn't work with the AMSData URI.
• WA-11888 - Resolved an issue where one could easily access/download the Swagger specifications from the API Management without authentication.
• EIN-8691 - Resolved Memcache inconsistencies after configuration changes.

• EIN-1369 - Resolved Memcached inconsistencies after configuration changes.

January 25, 2022

Changes in Functionality

• Resolved an issue where API Management sent notifications for the user, key, and application activity using an outdated PHPMailer.
• Added functionality to retain the entries in public_domain_endpoints by marking them as "not-active" when the state changes to "deleted".

January 11, 2022

Change in Functionality

• When a user is about to delete the account of any other user in Mashery, a warning appears with the necessary actions that would be taken on deleting that particular user.

Closed Issues

• WA-11803 - Blocked the creation of endpoint/s with relative path "/../" in the URI.
• WA-11788 - Resolved an issue related to the mismatch of user data in the database.
• WA-11777 - Masked the API keys in the email notification when the Call Inspector was Enabled/Disabled for the Mashery Cloud.

November 16, 2021

Changes in Functionality

• SOAP Cache Connector default TTL (Time-to-live) value of 300 seconds can now be overridden by Endpoint TTL or Service TTL. For more information, refer to the SOAP Cache Connector.

• REST Cache Connector default TTL (Time-to-live) value of 300 seconds can now be overridden by EndpointTTL or ServiceTTL. For more information, refer to the REST Cache Connector.

Closed Issue

• EIN-8805 - SOAP Cache Connector loses European/Unicode characters.
• EIN-8854 - Resolved an issue where the Custom HTTP headers configured in Mashery APIs had "encoded" values instead of actual values.

• EIN-8488 - Analyzed and resolved the issue related to AWS Lambda Sidecar Integration Connector.

November 9, 2021

Closed Issue

• WA-11611 - Resolved a sporadic issue where an SSO user is unable to access an API Definition.
• WA-11739 - Users removed from TIBCO Cloud were still showing up in Control Center.

October 20, 2021

Changes in Functionality

• On the Plan Designer page, the defined fetch limit to fetch all endpoints in multiple calls has been set to 600.
• Enabled "Full" SSL support on Mashery developer portals by default; previously set to "None".
• Pre-flight check added in CIC Subscription provisioning to verify if the current Mashery area name already exists.

Closed Issue

• WA-11824 - Changed queries in PersistedServiceMapi to select based on the status i.e. "not-deleted" instead of "active".
• EIN-8850 - Resolved the issue related to InjectModelAttributeHeader and InjectConditionalHeader connectors when the call is run through EU-Central.

October 13, 2021

Closed Issue

• EIN-7977 - Resolved OAuth issue related to U.S. Daylight Savings time change.

October 6, 2021

Improvements

SOAP Cache Connector / REST Cache Connector - When defining cache_ttl at the service level or endpoint level, then the regular cache is coming into play and it is overriding the SOAP Cache Connector/REST Cache Connector. Now, cache_ttl will be defined in pre input and not at the service level or endpoint level.

September 28, 2021

Changes in Functionality

• Tool Tip Text Update for Cache Disabling

The following tool tip is now added for how to disable caching once Cache Time-to-Live feature is enabled on the API Service and API Endpoint pages: "Setting a value of 0 will disable caching."

Closed Issues

• WA-11756 - Resolved an issue with custom key creation in specific scenarios.
• WA-11691- Addressed a reported issue causing frequent logouts in Mashery Cloud.
• WA-11730 - Addressed a filtering issue with Organization picker within TIBCO Cloud Mesh.
• WA-11489 - Addressed a Mashery V3 API call issue when moving a given package key from one API Package to another API Package. For more information, see the Package Keys topic in the Mashery Cloud API documentation.
• EIN-8440 - Resolved a sporadic issue involving erroneous access to a defined Method not included in a Plan.

September 14, 2021

Changes in Functionality

• Implemented optimizations to Service Definition configuration.

Closed Issue

• WA-11704 - Package key audit history 'Changed By' column was incorrectly showing the owner of the key instead of the user that made the change.

August 31, 2021

Closed Issues

• WA-11596 - Pagination was not working as expected on the HTTPS Client Profile page. 
• WA-11715 / WA-11724 - Mashery throwing Duplicate Entry error for a particular URI.
• WA-11668  - Unable to change the Application Owner.
• WA-11689 - Resolved an intermittent accessibility issue within the Content Page of the Developer Portal.

August 10, 2021

Changes in Functionality

• Developer Portal - TIBCO analytics tags updated/removed (Google Analytics).
• Added support for rejecting the whitelisting of a top-level domain when a sub-domain is already approved and or in use.
• Interactive Documentation within the Mashery Cloud Control Center now lists the current versions of endpoints.

Closed Issues

• WA-11626 - New member profiles created during ?Invite New Members? now default to the user?s First Name and Last Name.
• WA-11691 - Addressed an uncommon scenario where users experienced sporadic logout behavior.

July 27, 2021

Change in Functionality

• A Cancel button is added in the confirmation popup windows.

Closed Issues

• WA-11590 - Fetching the service and endpoints using the Mashery API fetch call to the plans were returning invalid dates.
• WA-11678 - Content added (Using Manage -> Contents -> Select any random custom page) were not getting saved.
• WA-11434 -  Pages (and their child pages) in the Developer Portal were not visible to users as expected.
• WA-11519 - The HEAD request to get the X-Total-Count header did not work consistently across resources.

June 29, 2021

Change in Functionality

• IP Whitelisting Connector updated for improved compatibility with Azure.

June 15, 2021

Closed Issue

• WA-11533 - Resolved admin issue of creating/deleting sub-organizations.

June 01, 2021

Change in Functionality

• Admin is now warned if an Admin user has an Mashery API key while being disabled or deleted.

Closed Issues

• WA-11426 - Cloning of an Application Service Registry endpoint now works as expected.
• WA-11538 - Issues with Mashery user accounts having special characters in TIBCO cloud account now fixed.

May 18, 2021

Closed Issues

• WA-11344 - Updated visibility and access for the API Manager role to view HTTPSClientProfile in Mashery Control Center.
• WA-11554 - Developer portal key activity reports were not returning any data. This issue has been fixed.

April 27, 2021

Change in Functionality

• When using the Mashery Platform API to CreateAccessToken, if User_Context is not passed in the call, the response will return a ?null? value instead of a blank value.

Closed Issues

• WA-11270 - General performance, security, and stability fixes.
• WA-11255 - Resolved issue which prevented Organization Admins from creating Sub-Organization Endpoints.

April 20, 2021

Change in Functionality

The behavior of the Service User role has been updated:

• Service User can be assigned along with other roles.
• ACL Permissions of roles other than Service User role determine the access permission for the user.  
• Evaluation Area Creation: For the auto-generated user with Service User, an Administrator role is now added in the creation process.

Closed Issues

• WA-11518 - Resolved error during login from TIBCO Cloud into Mashery Control Center under a specific Organization/Child-Organization.
• WA-11456 - Updates to use and scope of Service User roles.
• WA-11316 - The Delete audit trail history for an API Package Key after a Package/Plan is deleted was missing. This is now fixed.

April 13, 2021

Change in Functionality

• The user_context field is now included in the response from TIBCO Cloud Mashery.

March 30, 2021

New Features

Enriched Call Log Export (ECLE) has been updated as follows:

• All ECLE profiles now require the enhanced security configuration which includes assumed-role access and native s3 bucket encryption.
• As communicated in the past, all un-encrypted and IAM access functionality will be deprecated and all the un-encrypted configurations will be disabled.
• Please see the setup instructions present on the Control Center ECLE page for more information about configuring your AWS account prior to creating or updating an ECLE profile.

Added the ability to validate API calls using encrypted JWT JWE (JSON Web Encryption).

Change in Functionality

• General performance, security, and stability improvements. (AJ-2249, AJ-2260, AJ-2281, AJ-2294, AJ-2298, AJ-2322)

March 2, 2021

New Feature

Support for Mutual Transport Layer Security (mTLS)

Control Center UI updated for supporting mTLS (Mutual TLS) configuration for endpoints. mTLS ensures verification between client and server. Note this feature is only for Mashery Local 5.3.1 and above customers, who are using tethered mode only.

Change in Functionality

• General performance, security, and stability improvements (WA-11271, WA-11351, WA-11437).

Closed Issue

• EIN-8084 - Broken formatting on Call Inspector Call Detail panes. This is now fixed.

February 9, 2021

Change in Functionality

• General performance, security, and stability improvements (WA-11253).

January 26, 2021

New Feature

Ability to Configure Content Security Policy (CSP) for Developer Portal

A Content Security Policy (CSP) editor is now available when configuring a Developer Portal. For more information, refer to Customizing your Portal.

Change in Functionality

• General performance, security, and stability improvements (WA-11275, WA-11385).

November 10, 2020

New Feature

The Service User role, initially available only for CIC areas, is now available on all areas. Once a user is assigned this role, the user will not able to login to the Control Center/Dashboard. The appropriate warning/confirmation is displayed to the user when this role is assigned to any member in the Access settings panel. A user assigned to this role will be able to invoke APIs as an area admin. A service user will be also able to login to developer portal.

October 29, 2020

New Features

The API Policy Connector has been updated with the following new feature:

• JWE (JSON Web Encryption) support for third party JWT token. Compliant to JWE RFC https://tools.ietf.org/html/rfc7516. Supports following key algorithms and content encryption algorithms:
  • JWE 'alg' : [ RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES,ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW]
  • JWE 'enc' : [ A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512, A128GCM, A192GCM and A256GCM, HS512]

OIDC Token Authentication Connector

The OIDC Token Authentication Connector is now available. This Connector supports securing APIs in TIBCO Mashery using third party OIDC IDP based ID token. Features include:

• Ability to configure up to ten user info endpoints per service endpoint for ID validation using any third party OIDC IDP.
• Conditional pickup of user info endpoint for user info based on incoming meta data for geo-distributed API services.
• Ability to enrich API request header with user info meta data that is returned after successful ID validation.
• Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server user info endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines.
• Support of configurable parameter enable_error_set to control error response code sent by TIBCO Mashery. If enable_error_set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED that is Gateway supported error message. In this case, http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center. If enable_error_set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls. enable_error_set parameter value with "true" is case-insensitive.
• Support of UserInfo error responses on error condition as defined in the OAuth 2.0 Bearer Token Usage Specification. https://tools.ietf.org/html/rfc6750#section-3.1

Change in Functionality

The SOAP WS-Security Connector has been updated with the following enhancements:

• Supports SOAP message payload size up to 1024 KB (1 MB).
• Error handling improvement for accurate checking of supported signature and encryption algorithms.

October 27, 2020

New Feature

New Organization-specific Role: Organization Support User

Added new organization-specific role - Organization Support User - for all organizations including existing organizations. The Organization Support User role has read-only access to all pages in the API Control Center dashboard with data filtered based on the Organization. Buttons (such as Save, Create, Edit, and Delete) and various fields (such as check boxes and text boxes) are disabled for Organization support users.

Change in Functionality

The warning message for 'Time to wait for a response from endpoint' has been updated to specify that it applies only for Mashery Cloud calls (and not for Mashery Local).

Closed Issues

• WA-11295 - Fixed general issues related to Dapi.
• WA-11282 - Map Overlay reports were not loading correctly from API Control Center > Reports > Developer Activity > Map Overlay. This is now fixed.

October 13, 2020

Closed Issue

• WA-11105 - Resolved packager-based reporting map overlay display bug.

October 8, 2020

New Feature

SOAP WS-Security Connector

The SOAP WS-Security Connector is now available. This Connector supports SOAP WS-security specs to validate SOAP API calls for SOAP message signature, apply encryption/decryption to enforce integrity and confidentiality on messages. It also supports optionally creating the security header with the timestamp component in the outgoing request to the backend API server.

Change in Functionality

The AWS Lambda Sidecar Integration Connector has been updated with the following improvement:

• Better resiliency in error management by incorporating Lambda function custom runtime exception that comes with X-Amz-Function-Error header. (AWS Lambda Runtime Error Handling Documentation.)
• Improvement to secure and encrypt confidential credential like externalID by integrating with AWS Systems Manager Parameter Store.

The REST <-> SOAP Transformation Connector has been updated with the following improvement:

• Supports accurate Content-Type header for REST ? SOAP transformation for both SOAP1.1 and SOAP1.2
  • REST(JSON) -> SOAP 1.1 , Content-Type header is set to application/xml;charset=UTF-8 after transformation.
  • REST(JSON) -> SOAP 1.2 , Content-Type header is set to application/soap+xml;charset=UTF-8 after transformation.

October 1, 2020

New Feature

JSON Schema And Payload Size Validation Connector

The JSON Schema And Payload Size Validation Connector is now available. This Connector supports RESTful API request validation using JSON schema provided either in Content Type header or Link header. Features include:

• Support for RESTful API payload size validation.
• Optionally supports fail-safe mode for payload size validation. In fail-safe true mode, an API call is forwarded even if it is more than the configured max size but less than max allowed payload size.
• Supports configuration 'override_custom_error_message' for enabling API service endpoint supported static custom messages to override Connector runtime message.

September 23, 2020

Change in Functionality

Call Log Export (ECLE) S3 Server-Side Encryption

In an effort to provide improved security for the Call Log Export (ECLE) feature, we have added support for S3 Server-Side Encryption. To use this feature, all AWS resources are created by the customer, providing full ownership of the encryption, authentication/authorization, and storage mechanisms using the TIBCO provided CloudFormation template.

To activate this feature, enable the Bucket Encryption flag on the ECLE profile create or edit screens. Once the Bucket Encryption flag is enabled, you will need to input fields S3 Bucket Name, IAM Role Arn, CMK Arn, and ExternalId for Role Assumption. This information is generated after successful stack creation using the provided CloudFormation template.

For more information, refer to the Setup Instructions provided in the ECLE profile create or edit screen.

Because security is more important than ever, we are deprecating the existing IAM based bucket policy functionality in early November.  Between the launch of the encryption functionality and the depreciation of IAM bucket policy support, we are requiring customers to run in both modes. The provided CloudFormation template will allow you to either apply the new settings to an existing bucket, or create a new bucket with both sets of configuration.  We will notify you once the IAM policy functionality has been disabled, at which point, we recommend that you remove the IAM based policy from your S3 bucket. ECLE profiles not implementing the new encryption policy by November 10th will be disabled until such time their configuration is updated to the new encrypted mode. 

September 15, 2020

Improvement

The API Policy connector has been updated with the following improvements:

• Extend payload match policy to support SOAP messages. Now payload match policy supports both REST & SOAP.
• Support of new configuration 'Enable_Error_Set' for enabling API service endpoint supported static custom messages to override Connector runtime message.

August 27, 2020

New Feature

AWS Lambda Sidecar Integration Connector 

The AWS Lambda Sidecar Integration Connector is now available. This Connector supports TIBCO Cloud Mashery sidecar integration for AWS Lambda function. Features include:

• Supports AssumeRole IAM policy with external ID for enhancement security of AWS Lambda resources access in compliance of AWS shared responsibility model.
• Supports configurable sure-fire and fail-safe modes to invoke AWS Lambda function to influence Gateway action.
• Supports RESTful POST messages only for AWS Lambda function invocation.
• Supports optional configurable parameters to apply business policies to influence API behavior in the end-to-end call flow.

Change in Functionality

The REST <-> SOAP Transformation connector has been updated with the following improvement: 

• Now supports handling of JSON payload with namespace in the transformation. 

August 18, 2020

New Feature

The following headers are added in the response of the Mashery Developer Portal and Mashery Control Center page:

X-Content-Type-Options nosniff, X-XSS-Protection 1; Content-Security-Policy.

For Content Security policy header, Portal administrators may want to update the Content Security Policy from the Portal Settings page.

About Content Security Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP-compatible browser will then only execute scripts loaded in source files received from those allowed/listed domains.

By default, Content Security Policy header is not added in the developer portal response. Portal administrator can set the content security policy through Control Center > Manage > Potal > Portal Setup page. Administrators can set the content security policy in the given text field. By default, no content security policy is set on the Developer Portal. Example of security policy required for the Developer Portal is provided in the description text.

Example -

If the administrator wants to set the Content Security Policy, the administrator will copy the example text, replace the value for portal-domain and then add/update any other directives. The policy provided in the example is required by the Developer Portal; hence those values should not be removed.

If the administrator wants to allow to load script from another domain, such as abcd.com , and a font from coolfonts.com, then the administrator will add *.abcd.com in the script-src directive and *.coolfonts.com in font-src directive of the example and set the entire text as a new content security policy.

August 4, 2020

Changes in Functionality

• There is a change in the way error messages are displayed to the user. The error message is now more informative with service key and endpoint key information and a hyperlink pointing to existing endpoint.  Also a single message is now displayed for all the conflicting HTTP verb instead of one error message for each verb. 

July 30, 2020

Improvements

The OAuth 2.0 Token Authentication connector has been updated with the following improvement:

• Support of configurable parameter Enable_Error_Set to control error response code sent by TIBCO Mashery.

  If Enable_Error_Set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED in place of ERR_401_UNAUTHORIZED. In this case http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center.

  If Enable_Error_Set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls.

  Enable_Error_Set parameter value with "true" is case-insensitive.

July 21, 2020

Change in Functionality

• General performance and stability improvements (WA-11046, WA-10992, WA-10843, WA-10786, WA-9402).

Closed Issue

• WA-11039 - While persisting Swagger 2.0 documents, a publicly-available schema document was relocated to a different URL location. Access to this schema document is not required to validate the document, so the reference to this URL has been removed.

July 7, 2020

New Features

• Previously, there was no option to re-parent a Portal Access Group role, once it was created. Now, you can re-parent an existing Portal Access Group role, by going to the edit page of Portal Access Groups, and re-parent it to any other organization or area level based on the permission of the user.
• RFC compliance for handling cache logic has been implemented.

Change in Functionality

• UI improvements (Plan Designer page) and performance enhancements in API Control Center dashboard.

Closed Issues

• EIN-1052 - Several POST,PUT,DELETE requests failed to return the correct response.
• EIN-4445 - GET response that was cached was being returned for POST, PUT, DELETE, PATCH and OPTIONS calls to the same endpoint
• WA-8858 - Improved session management for TIBCO Cloud enabled Mashery subscriptions. Users will no longer risk being logged out of the API Control Center when their session in TIBCO Cloud is left unused, assuming they are actively using the API Control Center.
• WA-10868 - If the 50 most recently created or updated records in the Organizations list were Sub organizations, the "New organization" button was getting hidden. This is now resolved and the button will not be hidden. 
• WA-10906 - The drop-down value for HTTPS Client Profile went blank or changed to a previous value.
• WA-11009 - Endpoint address not shown in Load Balancing menu in API Definition configuration.

July 2, 2020

Improvements

The OAuth Token Authentication connector has been updated with the following improvement:

• Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server token validation endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines. https://tools.ietf.org/html/rfc7231#section-4

The HTTP Basic Authentication Connector has been updated with the following improvements:

• Support of 401 (Unauthorized) status code and WWW-Authenticate header field for an empty Authorization header in HTTP Basic Authentication Connector. Improvement is in compliance to RFC https://tools.ietf.org/html/rfc7617 for an empty authorization header in API request needed for HTTP Basic Authentication.
• Optional configuration parameter to keep TIBCO Cloud Mashery proxy platform response codes for backward compatibility.

June 11, 2020

New Features

REST <-> SOAP Transformation Connector

The REST <-> SOAP Transformation Connector is now available. This Connector supports the transforming of API request payload from REST(JSON) to SOAP and transforming backend SOAP response into REST(JSON). Also, supports RESTful POST messages only for transformation.

OAuth2.0 Token Authentication Connector

The OAuth2.0 Token Authentication Connector is now available. This Connector supports securing APIs in TIBCO Mashery using third party IDP based OAuth2.0 access token. Features include:

• Ability to configure up to ten OAuth2.0 introspection endpoints per service endpoint for token validation using any third party IDP.
• Conditional pickup of introspection endpoint for token validation based on incoming meta data for geo-distributed API services.
• Ability to enrich API request header with meta data that can be returned after successful token validation.

June 2, 2020

New Feature

TIBCO Cloud Mesh

TIBCO Cloud Mesh allows you to discover any private REST endpoint exposed within TIBCO Cloud domains, within your organization or related organizations.

Authentication and authorization for these private endpoints is provided automatically. You can browse available services and select one, rather than copying and pasting a URL.

For more information, see Creating an Endpoint using TIBCO Cloud Mesh.

Closed Issue

WA-10959 - Resolved issue wherein links on API Control Center > Manage > Portal > General redirected to blank pages.

May 28, 2020

New Feature

Sensitive Data Field Masking for Call Log Export

Call Log Export (ECLE) Masking feature allows customers to mask some or all characters in sensitive fields such as API Key and OAuth token in both new and existing ECLE profiles. Customers must update ECLE profile in order to activate for existing exports.

For more information, see Call Log Export Setting.

May 21, 2020

Change in Functionality 

Updated API Policy Connector

The following improvement was made in the API Policy Connector.

• Supports 'Effect' factor that drives 'Allow' or 'Deny' behavior on match policy.

May 12, 2020

Closed Issues

WA-10860 - API Control Center threw a duplicate endpoint error when "/" was included at the end of the request URL path.

New Features

 Revised the UI text in API Control Center for the "Remove API Key and Signature from Endpoint Call" feature for clarity of actual function.

May 11, 2020

New Features

JWT Authentication Connector

The JWT Authentication Connector is now available. This Connector supports match policy to allow additional validation based on JWT claims value.

OAuth2JWT Authentication Connector

The OAuth2JWT Authentication Connector is now available. This Connector supports match policy to allow additional validation based on JWT claims value.

API Policy Connector

The API Policy Connector is now available. This Connector allows you to apply policies to change the behavior of the API through configuration. Currently supports Request, Response and third party JWT object context.

Additional features of this Connector:

• Third party JWT Claims Verification Policy. Supports JWT token object context.
• Third party JWT Signature Verification Policy. Supports JWT token object context.
• API Payload Attribute Match Policy. Supports Request and Response object context. API policy for finding payload attribute and applying match. Support JSONPath (JSON Payload) and XPath expression (XML Payload).
• API Request and Response object context based match policy. Supports match keywords using operation ContainsAny, ContainsAll, JSONPath, and XPath.

Closed Issues

• WA-10798 - Conflict when creating a public endpoint resolved.

April 2, 2020

Change in Functionality 

Updated XML <-> JSON Transformation Connector  

The following improvements were made in the XML <-> JSON Transformation Connector.

• Support optional charset check in the application/json Content-Type header for accurate JSON ? XML transformation. 
• Support overriding default Connector error messages with APICC configured custom error messages using an optional flag 'override_custom_error_message'.

Updated SOAP <-> REST Transformation Connector

The following improvements were made in the SOAP <-> REST Transformation Connector.

• Support accurate caching of POST request having XML payload with namespace.
• Support overriding default Connector error messages with TIBCO Mashery Control Center configured custom error messages using an optional flag 'override_custom_error_message'.

Updated SOAP Cache Connector

The following improvement was made in the SOAP Cache Connector. Support accurate caching of POST request having XML payload with namespace.

Updated REST Cache Connector

The following improvement was made in the REST Cache Connector. Support accurate caching of POST request having XML payload with namespace.

March 24, 2020

Closed Issues

• WA-10685 - Mashery provided OAuth Token endpoint was returning ?Service Not Found? during CORS pre-flight call.
• WA-10618 - Resolved ACL consistency between API and Dashboard.

March 20, 2020

Change in Functionality

Updated IP Blocking Connector

Following improvements were made in this Mashery Connector:

1. The IP Blocking Connector has been improved to accurately identify Client IP addresses for blocking feature.

2. Connectors now supports overriding default behavior of X-FORWARDED-FOR header to pick client IP address using a configurable flag keep_client_ip_as_source. This flag overrides default selecting IP address of intermediaries like load balancer or third party proxy that is closest to the Mashery stack.

March 19, 2020

Change in Functionality

Updated IP Whitelisting Connector

Following improvements were made in this Mashery Connector:

1. The IP Whitelisting Connector has been Improved to accurately identify Client IP addresses for whitelisting feature.

2. Connectors now supports overriding default behavior of X-FORWARDED-FOR header to pick client IP address using a configurable flag keep_client_ip_as_source . This flag overrides default selecting IP address of intermediaries like load balancer or third party proxy that is closest to the Mashery stack.

New Feature

REST Cache Connector

New Mashery Connector, REST Cache Connector, supports caching of REST POST requests, which allows requests that have the same payload and configured headers value to be served from the cache.

March 10, 2020

New Feature

Organization-related information (Org/SubOrg Name & UUID) synchronized to Mashery Local for inclusion in logs is now available through Log Service.

February 27, 2020

New Features

SOAP Cache Connector

New Mashery Connector, SOAP Cache Connector, supports caching of SOAP with POST requests, which allows requests that have the same payload and configured headers value to be served from the cache.

Ping Auth Connector

New Mashery Connector, Ping Auth Connector, consists of the following:

• Ping Federate OAuth2 Connector - covers frontend security.
• Ping Federate OAuth2 LMS Connector - covers Last Mile Security.

January 21, 2020

New Features

• Normalize Audit History time zone from PDT to GMT.
• Support hyphen and underscore in Organization and Sub-Organization names.

Closed Issues

• WA-10600 - Enum values not honored during ?try it now? with Swagger 2.0 on Interactive Documentation resolved. 
• WA-10380 - Manually-entered parameter values were reverting to defaults in interactive documentation.
• WA-9635 - Page content was blank in CMS on page load.
• WA-9903 - Second use of authorization resulted in ?Unknown security definition type http? error.

January 9, 2020

New Features

XML <-> JSON Transformation Connector

New Mashery Connector, XML <-> JSON Transformation Connector,  supports transforming an API request payload from XML to JSON and vice versa.:

SOAP <-> REST Transformation Connector

New Mashery Connector, SOAP <-> REST Transformation Connector, supports transforming API request payload from SOAP message to REST(JSON) and vice versa.

November 12, 2019

New Feature

In an effort to simplify Domain whitelisting, the Control Center has been modified to not allow IP addresses to be specified when adding whitelisted domains. A warning message is displayed if an IP address is specified.

November 5, 2019

Closed Issue

• WA-10256 - Removal of replacement variables in New Member Registration email were being appended to Email regardless of the configured template. This has been fixed.

November 1, 2019

Closed Issue

• WA-10439 - Developer-facing Reporting and CSV download on Developer Portal returning 404 page not found.

October 10, 2019

New Feature

Time stamp of last login for Developer Portal user now exposed on the member record, accessible via API Call.

July 3, 2019

Closed Issue

• RPT-3250 - Unable to create Amazon S3 bucket path for Enriched Call Log Export (ECLE).

June 19, 2019

New Feature

Geo Target Routing Connector updated in the TIBCO Cloud? Mashery - Connectors Guide.

Mashery Connectors are TIBCO Mashery's Cloud feature plugins and extensions that have been developed and available out of box for Mashery Cloud customers. Connectors have been carefully envisioned to address common use-cases such as: content injection, content filtering, content transformation, call authentication using third-party IDP, IP-based call filtering, domain-based routing, geo-location based routing and HTTP header manipulation.