TIBCO Mashery Release Notes
June 15, 2021
- WA-11533 - Resolved admin issue of creating/deleting sub-organizations.
June 01, 2021
Change in Functionality
Admin is now warned if an Admin user has an Mashery API key while being disabled or deleted.
- WA-11426 - Cloning of an Attack Surface Reduction (ASR) endpoint now works as expected.
- WA-11538 - Issues with Mashery user accounts having special characters in TIBCO cloud account now fixed.
May 18, 2021
- WA-11344 - Updated visibility and access for the API Manager role to view HTTPSClientProfile in Mashery Control Center.
- WA-11554 - Developer portal key activity reports were not returning any data. This issue has been fixed.
April 27, 2021
Change in Functionality
When using the Mashery Platform API to CreateAccessToken, if User_Context is not passed in the call, the response will return a “null” value instead of a blank value.
- WA-11270 - General performance, security, and stability fixes.
- WA-11255 - Resolved issue which prevented Organization Admins from creating Sub-Organization Endpoints.
April 20, 2021
The behavior of the Service User role has been updated:
- Service User can be assigned along with other roles.
- ACL Permissions of roles other than Service User role determine the access permission for the user.
- Evaluation Area Creation: For the auto-generated user with Service User, an Administrator role is now added in the creation process.
- WA-11518 - Resolved error during login from TIBCO Cloud into Mashery Control Center under a specific Organization/Child-Organization.
- WA-11456 - Updates to use and scope of Service User roles.
- WA-11316 - The Delete audit trail history for an API Package Key after a Package/Plan is deleted was missing. This is now fixed.
April 13, 2021
The user_context field is now included in the response from TIBCO Cloud Mashery.
March 30, 2021
Enriched Call Log Export (ECLE) has been updated as follows:
- All ECLE profiles now require the enhanced security configuration which includes assumed-role access and native s3 bucket encryption.
- As communicated in the past, all un-encrypted and IAM access functionality will be deprecated and all the un-encrypted configurations will be disabled.
- Please see the setup instructions present on the Control Center ECLE page for more information about configuring your AWS account prior to creating or updating an ECLE profile.
Added the ability to validate API calls using encrypted JWT JWE (JSON Web Encryption).
General performance, security, and stability improvements. (AJ-2249, AJ-2260, AJ-2281, AJ-2294, AJ-2298, AJ-2322)
March 2, 2021
Support for Mutual Transport Layer Security (mTLS)
Control Center UI updated for supporting mTLS (Mutual TLS) configuration for endpoints. mTLS ensures verification between client and server. Note this feature is only for Mashery Local 5.3.1 and above customers, who are using tethered mode only.
General performance, security, and stability improvements (WA-11271, WA-11351, WA-11437).
- EIN-8084 - Broken formatting on Call Inspector Call Detail panes. This is now fixed.
February 9, 2021
General performance, security, and stability improvements (WA-11253).
January 26, 2021
Ability to Configure Content Security Policy (CSP) for Developer Portal
A Content Security Policy (CSP) editor is now available when configuring a Developer Portal. For more information, refer to Customizing your Portal.
General performance, security, and stability improvements (WA-11275, WA-11385).
November 10, 2020
The Service User role, initially available only for CIC areas, is now available on all areas. Once a user is assigned this role, the user will not able to login to the Control Center/Dashboard. The appropriate warning/confirmation is displayed to the user when this role is assigned to any member in the Access settings panel. A user assigned to this role will be able to invoke APIs as an area admin. A service user will be also able to login to developer portal.
October 29, 2020
The API Policy Connector has been updated with the following new feature:
- JWE (JSON Web Encryption) support for third party JWT token. Compliant to JWE RFC https://tools.ietf.org/html/rfc7516. Supports following key algorithms and content encryption algorithms:
- JWE 'alg' : [ RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES,ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW]
- JWE 'enc' : [ A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512, A128GCM, A192GCM and A256GCM, HS512]
OIDC Token Authentication Connector
The OIDC Token Authentication Connector is now available. This Connector supports securing APIs in TIBCO Mashery using third party OIDC IDP based ID token. Features include:
- Ability to configure up to ten user info endpoints per service endpoint for ID validation using any third party OIDC IDP.
- Conditional pickup of user info endpoint for user info based on incoming meta data for geo-distributed API services.
- Ability to enrich API request header with user info meta data that is returned after successful ID validation.
- Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server user info endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines.
- Support of configurable parameter enable_error_set to control error response code sent by TIBCO Mashery. If enable_error_set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED that is Gateway supported error message. In this case, http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center. If enable_error_set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls. enable_error_set parameter value with "true" is case-insensitive.
- Support of UserInfo error responses on error condition as defined in the OAuth 2.0 Bearer Token Usage Specification. https://tools.ietf.org/html/rfc6750#section-3.1
The SOAP WS-Security Connector has been updated with the following enhancements:
- Supports SOAP message payload size up to 1024 KB (1 MB).
- Error handling improvement for accurate checking of supported signature and encryption algorithms.
October 27, 2020
New Organization-specific Role: Organization Support User
Added new organization-specific role - Organization Support User - for all organizations including existing organizations. The Organization Support User role has read-only access to all pages in the API Control Center dashboard with data filtered based on the Organization. Buttons (such as Save, Create, Edit and Delete) and various fields (such as checkboxes and text boxes) are disabled for Organization support users.
Change in Functionality
The warning message for 'Time to wait for a response from endpoint' has been updated to specify that it applies only for Mashery Cloud calls (and not for Mashery Local).
- WA-11295 - Fixed general issues related to Dapi.
- WA-11282 - Map Overlay reports were not loading correctly from API Control Center > Reports > Developer Activity > Map Overlay. This is now fixed.
October 13, 2020
WA-11105 - Resolved packager-based reporting map overlay display bug.
October 8, 2020
SOAP WS-Security Connector
The SOAP WS-Security Connector Connector is now available. This Connector supports SOAP WS-security specs to validate SOAP API calls for SOAP message signature, apply encryption/decryption to enforce integrity and confidentiality on messages. It also supports optionally creating the security header with the timestamp component in the outgoing request to the backend API server.
The AWS Lambda Sidecar Integration Connector has been updated with the following improvement:
- Better resiliency in error management by incorporating Lambda function custom runtime exception that comes with X-Amz-Function-Error header. (AWS Lambda Runtime Error Handling Documentation.)
- Improvement to secure and encrypt confidential credential like externalID by integrating with AWS Systems Manager Parameter Store.
The REST <-> SOAP Transformation Connector has been updated with the following improvement:
- Supports accurate Content-Type header for REST → SOAP transformation for both SOAP1.1 and SOAP1.2
- REST(JSON) -> SOAP 1.1 , Content-Type header is set to application/xml;charset=UTF-8 after transformation.
- REST(JSON) -> SOAP 1.2 , Content-Type header is set to application/soap+xml;charset=UTF-8 after transformation.
October 1, 2020
JSON Schema And Payload Size Validation Connector
The JSON Schema And Payload Size Validation Connector is now available. This Connector supports RESTful API request validation using JSON schema provided either in Content Type header or Link header. Features include:
- Support for RESTful API payload size validation.
- Optionally supports fail-safe mode for payload size validation. In fail-safe true mode, an API call is forwarded even if it is more than the configured max size but less than max allowed payload size.
- Supports configuration 'override_custom_error_message' for enabling API service endpoint supported static custom messages to override Connector runtime message.
September 23, 2020
Change in Functionality
Call Log Export (ECLE) S3 Server-Side Encryption
In an effort to provide improved security for the Call Log Export (ECLE) feature, we have added support for S3 Server-Side Encryption. To use this feature, all AWS resources are created by the customer, providing full ownership of the encryption, authentication/authorization, and storage mechanisms using the TIBCO provided CloudFormation template.
To activate this feature, enable the Bucket Encryption flag on the ECLE profile create or edit screens. Once the Bucket Encryption flag is enabled, you will need to input fields S3 Bucket Name, IAM Role Arn, CMK Arn, and ExternalId for Role Assumption. This information is generated after successful stack creation using the provided CloudFormation template.
For more information, refer to the Setup Instructions provided in the ECLE profile create or edit screen.
Because security is more important than ever, we are deprecating the existing IAM based bucket policy functionality in early November. Between the launch of the encryption functionality and the depreciation of IAM bucket policy support, we are requiring customers to run in both modes. The provided CloudFormation template will allow you to either apply the new settings to an existing bucket, or create a new bucket with both sets of configuration. We will notify you once the IAM policy functionality has been disabled, at which point, we recommend that you remove the IAM based policy from your S3 bucket. ECLE profiles not implementing the new encryption policy by November 10th will be disabled until such time their configuration is updated to the new encrypted mode.
September 15, 2020
The API Policy connector has been updated with the following improvements:
- Extend payload match policy to support SOAP messages. Now payload match policy supports both REST & SOAP.
- Support of new configuration 'Enable_Error_Set' for enabling API service endpoint supported static custom messages to override Connector runtime message.
August 27, 2020
AWS Lambda Sidecar Integration Connector
The AWS Lambda Sidecar Integration Connector is now available. This Connector supports TIBCO Cloud Mashery sidecar integration for AWS Lambda function. Features include:
- Supports AssumeRole IAM policy with external ID for enhancement security of AWS Lambda resources access in compliance of AWS shared responsibility model.
- Supports configurable sure-fire and fail-safe modes to invoke AWS Lambda function to influence Gateway action.
- Supports RESTful POST messages only for AWS Lambda function invocation.
- Supports optional configurable parameters to apply business policies to influence API behavior in the end-to-end call flow.
The REST <-> SOAP Transformation connector has been updated with the following improvement:
- Now supports handling of JSON payload with namespace in the transformation.
August 18, 2020
The following headers are added in the response of the Mashery Developer Portal and Mashery Control Center page:
X-Content-Type-Options nosniff, X-XSS-Protection 1; Content-Security-Policy.
For Content Security policy header, Portal administrators may want to update the Content Security Policy from the Portal Settings page.
About Content Security Policy
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP-compatible browser will then only execute scripts loaded in source files received from those allowed/listed domains.
By default, Content Security Policy header is not added in the developer portal response. Portal administrator can set the content security policy through Control Center > Manage > Potal > Portal Setup page. Administrators can set the content security policy in the given text field. By default, no content security policy is set on the Developer Portal. Example of security policy required for the Developer Portal is provided in the description text.
If the administrator wants to set the Content Security Policy, the administrator will copy the example text, replace the value for portal-domain and then add/update any other directives. The policy provided in the example is required by the Developer Portal; hence those values should not be removed.
If the administrator wants to allow to load script from another domain, such as abcd.com , and a font from coolfonts.com, then the administrator will add *.abcd.com in the script-src directive and *.coolfonts.com in font-src directive of the example and set the entire text as a new content security policy.
August 4, 2020
Changes in Functionality
There is a change in the way error messages are displayed to the user. The error message is now more informative with service key and endpoint key information and a hyperlink pointing to existing endpoint. Also a single message is now displayed for all the conflicting HTTP verb instead of one error message for each verb.
July 30, 2020
The OAuth 2.0 Token Authentication connector has been updated with the following improvement:
Support of configurable parameter Enable_Error_Set to control error response code sent by TIBCO Mashery.
If Enable_Error_Set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED in place of ERR_401_UNAUTHORIZED. In this case http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center.
If Enable_Error_Set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls.
Enable_Error_Set parameter value with "true" is case-insensitive.
July 21, 2020
General performance and stability improvements (WA-11046, WA-10992, WA-10843, WA-10786, WA-9402).
- WA-11039 - While persisting Swagger 2.0 documents, a publicly-available schema document was relocated to a different URL location. Access to this schema document is not required to validate the document, so the reference to this URL has been removed.
July 7, 2020
- Previously, there was no option to re-parent a Portal Access Group role, once it was created. Now, you can re-parent an existing Portal Access Group role, by going to the edit page of Portal Access Groups, and re-parent it to any other organization or area level based on the permission of the user.
- RFC compliance for handling cache logic has been implemented.
UI improvements (Plan Designer page) and performance enhancements in API Control Center dashboard.
- EIN-1052 - Several POST,PUT,DELETE requests failed to return the correct response.
- EIN-4445 - GET response that was cached was being returned for POST, PUT, DELETE, PATCH and OPTIONS calls to the same endpoint
- WA-8858 - Improved session management for TIBCO Cloud enabled Mashery subscriptions. Users will no longer risk being logged out of the API Control Center when their session in TIBCO Cloud is left unused, assuming they are actively using the API Control Center.
- WA-10868 - If the 50 most recently created or updated records in the Organizations list were Sub organizations, the "New organization" button was getting hidden. This is now resolved and the button will not be hidden.
- WA-10906 - The drop-down value for HTTPS Client Profile went blank or changed to a previous value.
- WA-11009 - Endpoint address not shown in Load Balancing menu in API Definition configuration.
July 2, 2020
The OAuth Token Authentication connector has been updated with the following improvement:
Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server token validation endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines. https://tools.ietf.org/html/rfc7231#section-4
The HTTP Basic Authentication Connector has been updated with the following improvements:
- Support of 401 (Unauthorized) status code and WWW-Authenticate header field for an empty Authorization header in HTTP Basic Authentication Connector. Improvement is in compliance to RFC https://tools.ietf.org/html/rfc7617 for an empty authorization header in API request needed for HTTP Basic Authentication.
- Optional configuration parameter to keep TIBCO Cloud Mashery proxy platform response codes for backward compatibility.
June 11, 2020
REST <-> SOAP Transformation Connector
The REST <-> SOAP Transformation Connector is now available. This Connector supports the transforming of API request payload from REST(JSON) to SOAP and transforming backend SOAP response into REST(JSON). Also, supports RESTful POST messages only for transformation.
OAuth2.0 Token Authentication Connector
The OAuth2.0 Token Authentication Connector is now available. This Connector supports securing APIs in TIBCO Mashery using third party IDP based OAuth2.0 access token. Features include:
- Ability to configure up to ten OAuth2.0 introspection endpoints per service endpoint for token validation using any third party IDP.
- Conditional pickup of introspection endpoint for token validation based on incoming meta data for geo-distributed API services.
- Ability to enrich API request header with meta data that can be returned after successful token validation.
June 2, 2020
TIBCO Cloud Mesh
TIBCO Cloud Mesh allows you to discover any private REST endpoint exposed within TIBCO Cloud domains, within your organization or related organizations.
Authentication and authorization for these private endpoints is provided automatically. You can browse available services and select one, rather than copying and pasting a URL.
For more information, see Creating an Endpoint using TIBCO Cloud Mesh.
WA-10959 - Resolved issue wherein links on API Control Center > Manage > Portal > General redirected to blank pages.
May 28, 2020
Sensitive Data Field Masking for Call Log Export
Call Log Export (ECLE) Masking feature allows customers to mask some or all characters in sensitive fields such as API Key and OAuth token in both new and existing ECLE profiles. Customers must update ECLE profile in order to activate for existing exports.
For more information, see Call Log Export Setting.
May 21, 2020
Updated API Policy Connector
The following improvement was made in the API Policy Connector.
- Supports 'Effect' factor that drives 'Allow' or 'Deny' behavior on match policy.
May 12, 2020
WA-10860 - API Control Center threw a duplicate endpoint error when "/" was included at the end of the request URL path.
WA-10604 - Revised the UI text in API Control Center for the "Remove API Key and Signature from Endpoint Call" feature for clarity of actual function.
May 11, 2020
JWT Authentication Connector
The JWT Authentication Connector is now available. This Connector supports match policy to allow additional validation based on JWT claims value.
OAuth2JWT Authentication Connector
The OAuth2JWT Authentication Connector is now available. This Connector supports match policy to allow additional validation based on JWT claims value.
API Policy Connector
The API Policy Connector is now available. This Connector allows you to apply policies to change the behavior of the API through configuration. Currently supports Request, Response and third party JWT object context.
Additional features of this Connector:
- Third party JWT Claims Verification Policy. Supports JWT token object context.
- Third party JWT Signature Verification Policy. Supports JWT token object context.
- API Payload Attribute Match Policy. Supports Request and Response object context. API policy for finding payload attribute and applying match. Support JSONPath (JSON Payload) and XPath expression (XML Payload).
- API Request and Response object context based match policy. Supports match keywords using operation ContainsAny, ContainsAll, JSONPath and XPath.
WA-10798 - Conflict when creating a public endpoint resolved.
April 2, 2020
Updated XML <-> JSON Transformation Connector
The following improvements were made in the XML <-> JSON Transformation Connector.
- Support optional charset check in the application/json Content-Type header for accurate JSON → XML transformation.
- Support overriding default Connector error messages with APICC configured custom error messages using an optional flag 'override_custom_error_message'.
Updated SOAP <-> REST Transformation Connector
The following improvements were made in the SOAP <-> REST Transformation Connector.
- Support accurate caching of POST request having XML payload with namespace.
- Support overriding default Connector error messages with TIBCO Mashery Control Center configured custom error messages using an optional flag 'override_custom_error_message'.
Updated SOAP Cache Connector
The following improvement was made in the SOAP Cache Connector. Support accurate caching of POST request having XML payload with namespace.
Updated REST Cache Connector
The following improvement was made in the REST Cache Connector. Support accurate caching of POST request having XML payload with namespace.
March 24, 2020
- WA-10685 - Mashery provided OAuth Token endpoint was returning “Service Not Found” during CORS pre-flight call.
- WA-10618 - Resolved ACL consistency between API and Dashboard.
March 20, 2020
Changes in Functionality
Updated IP Blocking Connector
Following improvements were made in this Mashery Connector:
1. The IP Blocking Connector has been improved to accurately identify Client IP addresses for blocking feature.
2. Connectors now supports overriding default behavior of X-FORWARDED-FOR header to pick client IP address using a configurable flag keep_client_ip_as_source. This flag overrides default selecting IP address of intermediaries like load balancer or third party proxy that is closest to the Mashery stack.
March 19, 2020
Changes in Functionality
Updated IP Whitelisting Connector
Following improvements were made in this Mashery Connector:
1. The IP Whitelisting Connector has been Improved to accurately identify Client IP addresses for whitelisting feature.
2. Connectors now supports overriding default behavior of X-FORWARDED-FOR header to pick client IP address using a configurable flag keep_client_ip_as_source . This flag overrides default selecting IP address of intermediaries like load balancer or third party proxy that is closest to the Mashery stack.
REST Cache Connector
New Mashery Connector, REST Cache Connector, supports caching of REST POST requests, which allows requests that have the same payload and configured headers value to be served from the cache.
March 10, 2020
Organization-related information (Org/SubOrg Name & UUID) synchronized to Mashery Local for inclusion in logs is now available through Log Service.
February 27, 2020
SOAP Cache Connector
New Mashery Connector, SOAP Cache Connector, supports caching of SOAP with POST requests, which allows requests that have the same payload and configured headers value to be served from the cache.
Ping Auth Connector
New Mashery Connector, Ping Auth Connector, consists of the following:
- Ping Federate OAuth2 Connector - covers frontend security.
- Ping Federate OAuth2 LMS Connector - covers Last Mile Security.
January 21, 2020
- Normalize Audit History timezone from PDT to GMT.
- Support hyphen and underscore in Organization and Sub-Organization names.
- WA-10600 - Enum values not honored during ‘try it now’ with Swagger 2.0 on Interactive Documentation resolved.
- WA-10380 - Manually-entered parameter values were reverting to defaults in interactive documentation.
- WA-9635 - Page content was blank in CMS on page load.
- WA-9903 - Second use of authorization resulted in “Unknown security definition type http” error.
January 9, 2020
XML <-> JSON Transformation Connector
New Mashery Connector, XML <-> JSON Transformation Connector, supports transforming an API request payload from XML to JSON and vice versa.:
SOAP <-> REST Transformation Connector
New Mashery Connector, SOAP <-> REST Transformation Connector, supports transforming API request payload from SOAP message to REST(JSON) and vice versa.
November 12, 2019
In an effort to simplify Domain whitelisting, the Control Center has been modified to not allow IP addresses to be specified when adding whitelisted domains. A warning message is displayed if an IP address is specified.
November 5, 2019
WA-10256 - Removal of replacement variables in New Member Registration email were being appended to Email regardless of the configured template. This has been fixed.
November 1, 2019
WA-10439 Developer-facing Reporting and CSV download on Developer Portal returning 404 page not found.
October 10, 2019
Time stamp of last login for Developer Portal user now exposed on the member record, accessible via API Call.
July 3, 2019
RPT-3250 - Unable to create Amazon S3 bucket path for Enriched Call Log Export (ECLE).
June 19, 2019
Mashery Connectors are TIBCO Mashery's Cloud feature plugins and extensions that have been developed and available out of box for Mashery Cloud customers. Connectors have been carefully envisioned to address common use-cases such as: content injection, content filtering, content transformation, call authentication using third-party IDP, IP-based call filtering, domain-based routing, geo-location based routing and HTTP header manipulation.