TIBCO Mashery Release Notes

By:
Last updated:
6:45pm Jun 16, 2021
Table of Contents

June 15, 2021

Closed Issue

  • WA-11533 - Resolved admin issue of creating/deleting sub-organizations.

June 01, 2021

Change in Functionality

Admin is now warned if an Admin user has an Mashery API key while being disabled or deleted.

Closed Issues

  • WA-11426 - Cloning of an Attack Surface Reduction (ASR) endpoint now works as expected.
  • WA-11538 - Issues with Mashery user accounts having special characters in TIBCO cloud account now fixed.

May 18, 2021

Closed Issues

  • WA-11344 - Updated visibility and access for the API Manager role to view HTTPSClientProfile in Mashery Control Center.
  • WA-11554 - Developer portal key activity reports were not returning any data. This issue has been fixed.

April 27, 2021

Change in Functionality

When using the Mashery Platform API to CreateAccessToken, if User_Context is not passed in the call, the response will return a “null” value instead of a blank value.

Closed Issues

  • WA-11270 - General performance, security, and stability fixes.
  • WA-11255 - Resolved issue which prevented Organization Admins from creating Sub-Organization Endpoints.

April 20, 2021

Enhancement

The behavior of the Service User role has been updated:

  • Service User can be assigned along with other roles.
  • ACL Permissions of roles other than Service User role determine the access permission for the user.  
  • Evaluation Area Creation: For the auto-generated user with Service User, an Administrator role is now added in the creation process.

Closed Issues

  • WA-11518 - Resolved error during login from TIBCO Cloud into Mashery Control Center under a specific Organization/Child-Organization.
  • WA-11456 - Updates to use and scope of Service User roles.
  • WA-11316 - The Delete audit trail history for an API Package Key after a Package/Plan is deleted was missing. This is now fixed.

April 13, 2021

Enhancement

The user_context field is now included in the response from TIBCO Cloud Mashery.

March 30, 2021

New Features

Enriched Call Log Export (ECLE) has been updated as follows:

  • All ECLE profiles now require the enhanced security configuration which includes assumed-role access and native s3 bucket encryption.
  • As communicated in the past, all un-encrypted and IAM access functionality will be deprecated and all the un-encrypted configurations will be disabled.
  • Please see the setup instructions present on the Control Center ECLE page for more information about configuring your AWS account prior to creating or updating an ECLE profile.

Added the ability to validate API calls using encrypted JWT JWE (JSON Web Encryption).

Enhancements

General performance, security, and stability improvements. (AJ-2249, AJ-2260, AJ-2281, AJ-2294, AJ-2298, AJ-2322)

March 2, 2021

New Feature

Support for Mutual Transport Layer Security (mTLS)

Control Center UI updated for supporting mTLS (Mutual TLS) configuration for endpoints. mTLS ensures verification between client and server. Note this feature is only for Mashery Local 5.3.1 and above customers, who are using tethered mode only.

Enhancements

General performance, security, and stability improvements (WA-11271, WA-11351, WA-11437).

Closed Issue

  • EIN-8084 - Broken formatting on Call Inspector Call Detail panes. This is now fixed.

February 9, 2021

Enhancement

General performance, security, and stability improvements (WA-11253).

January 26, 2021

New Feature

Ability to Configure Content Security Policy (CSP) for Developer Portal

A Content Security Policy (CSP) editor is now available when configuring a Developer Portal. For more information, refer to Customizing your Portal.

Enhancements

General performance, security, and stability improvements (WA-11275, WA-11385).

November 10, 2020

New Feature

The Service User role, initially available only for CIC areas, is now available on all areas. Once a user is assigned this role, the user will not able to login to the Control Center/Dashboard. The appropriate warning/confirmation is displayed to the user when this role is assigned to any member in the Access settings panel. A user assigned to this role will be able to invoke APIs as an area admin. A service user will be also able to login to developer portal.

October 29, 2020

New Features

The API Policy Connector has been updated with the following new feature:

  • JWE (JSON Web Encryption) support for third party JWT token. Compliant to JWE RFC https://tools.ietf.org/html/rfc7516. Supports following key algorithms and content encryption algorithms:
    • JWE 'alg' : [ RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES,ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW]
    • JWE 'enc' : [ A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512, A128GCM, A192GCM and A256GCM, HS512]

OIDC Token Authentication Connector

The OIDC Token Authentication Connector is now available. This Connector supports securing APIs in TIBCO Mashery using third party OIDC IDP based ID token. Features include:

  • Ability to configure up to ten user info endpoints per service endpoint for ID validation using any third party OIDC IDP.
  • Conditional pickup of user info endpoint for user info based on incoming meta data for geo-distributed API services.
  • Ability to enrich API request header with user info meta data that is returned after successful ID validation.
  • Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server user info endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines.
  • Support of configurable parameter enable_error_set to control error response code sent by TIBCO Mashery. If enable_error_set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED that is Gateway supported error message. In this case, http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center. If enable_error_set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls. enable_error_set parameter value with "true" is case-insensitive.
  • Support of UserInfo error responses on error condition as defined in the OAuth 2.0 Bearer Token Usage Specification. https://tools.ietf.org/html/rfc6750#section-3.1

Enhancement

The SOAP WS-Security Connector has been updated with the following enhancements:

  • Supports SOAP message payload size up to 1024 KB (1 MB).
  • Error handling improvement for accurate checking of supported signature and encryption algorithms.

October 27, 2020

New Feature

New Organization-specific Role: Organization Support User

Added new organization-specific role - Organization Support User - for all organizations including existing organizations. The Organization Support User role has read-only access to all pages in the API Control Center dashboard with data filtered based on the Organization. Buttons (such as Save, Create, Edit and Delete) and various fields (such as checkboxes and text boxes) are disabled for Organization support users.

Change in Functionality

The warning message for 'Time to wait for a response from endpoint' has been updated to specify that it applies only for Mashery Cloud calls (and not for Mashery Local).

Closed Issues

  • WA-11295 - Fixed general issues related to Dapi.
  • WA-11282 - Map Overlay reports were not loading correctly from API Control Center > Reports > Developer Activity > Map Overlay. This is now fixed.

October 13, 2020

Closed Issue

WA-11105 - Resolved packager-based reporting map overlay display bug.

October 8, 2020

New Feature

SOAP WS-Security Connector

The SOAP WS-Security Connector Connector is now available. This Connector supports SOAP WS-security specs to validate SOAP API calls for SOAP message signature, apply encryption/decryption to enforce integrity and confidentiality on messages. It also supports optionally creating the security header with the timestamp component in the outgoing request to the backend API server.

Enhancement

The AWS Lambda Sidecar Integration Connector has been updated with the following improvement:

Enhancement

The REST <-> SOAP Transformation Connector has been updated with the following improvement:

  • Supports accurate Content-Type header for REST → SOAP transformation for both SOAP1.1 and SOAP1.2
    • REST(JSON) -> SOAP 1.1 , Content-Type header is set to application/xml;charset=UTF-8 after transformation.
    • REST(JSON) -> SOAP 1.2 , Content-Type header is set to application/soap+xml;charset=UTF-8 after transformation.

October 1, 2020

New Feature

JSON Schema And Payload Size Validation Connector

The JSON Schema And Payload Size Validation Connector is now available. This Connector supports RESTful API request validation using JSON schema provided either in Content Type header or Link header. Features include:

  • Support for RESTful API payload size validation.
  • Optionally supports fail-safe mode for payload size validation. In fail-safe true mode, an API call is forwarded even if it is more than the configured max size but less than max allowed payload size.
  • Supports configuration 'override_custom_error_message' for enabling API service endpoint supported static custom messages to override Connector runtime message.

September 23, 2020

Change in Functionality

Call Log Export (ECLE) S3 Server-Side Encryption

In an effort to provide improved security for the Call Log Export (ECLE) feature, we have added support for S3 Server-Side Encryption. To use this feature, all AWS resources are created by the customer, providing full ownership of the encryption, authentication/authorization, and storage mechanisms using the TIBCO provided CloudFormation template.

To activate this feature, enable the Bucket Encryption flag on the ECLE profile create or edit screens. Once the Bucket Encryption flag is enabled, you will need to input fields S3 Bucket Name, IAM Role Arn, CMK Arn, and ExternalId for Role Assumption. This information is generated after successful stack creation using the provided CloudFormation template.

For more information, refer to the Setup Instructions provided in the ECLE profile create or edit screen.

Because security is more important than ever, we are deprecating the existing IAM based bucket policy functionality in early November.  Between the launch of the encryption functionality and the depreciation of IAM bucket policy support, we are requiring customers to run in both modes. The provided CloudFormation template will allow you to either apply the new settings to an existing bucket, or create a new bucket with both sets of configuration.  We will notify you once the IAM policy functionality has been disabled, at which point, we recommend that you remove the IAM based policy from your S3 bucket. ECLE profiles not implementing the new encryption policy by November 10th will be disabled until such time their configuration is updated to the new encrypted mode. 

September 15, 2020

Improvement

The API Policy connector has been updated with the following improvements:

  • Extend payload match policy to support SOAP messages. Now payload match policy supports both REST & SOAP.
  • Support of new configuration 'Enable_Error_Set' for enabling API service endpoint supported static custom messages to override Connector runtime message.

August 27, 2020

New Feature

AWS Lambda Sidecar Integration Connector 

The AWS Lambda Sidecar Integration Connector is now available. This Connector supports TIBCO Cloud Mashery sidecar integration for AWS Lambda function. Features include:

  • Supports AssumeRole IAM policy with external ID for enhancement security of AWS Lambda resources access in compliance of AWS shared responsibility model.
  • Supports configurable sure-fire and fail-safe modes to invoke AWS Lambda function to influence Gateway action.
  • Supports RESTful POST messages only for AWS Lambda function invocation.
  • Supports optional configurable parameters to apply business policies to influence API behavior in the end-to-end call flow.

Enhancement

The REST <-> SOAP Transformation connector has been updated with the following improvement: 

  • Now supports handling of JSON payload with namespace in the transformation. 

August 18, 2020

New Feature

The following headers are added in the response of the Mashery Developer Portal and Mashery Control Center page:

X-Content-Type-Options nosniff, X-XSS-Protection 1; Content-Security-Policy.

For Content Security policy header, Portal administrators may want to update the Content Security Policy from the Portal Settings page.

About Content Security Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP-compatible browser will then only execute scripts loaded in source files received from those allowed/listed domains.

By default, Content Security Policy header is not added in the developer portal response. Portal administrator can set the content security policy through Control Center > Manage > Potal > Portal Setup page. Administrators can set the content security policy in the given text field. By default, no content security policy is set on the Developer Portal. Example of security policy required for the Developer Portal is provided in the description text.

Example -

If the administrator wants to set the Content Security Policy, the administrator will copy the example text, replace the value for portal-domain and then add/update any other directives. The policy provided in the example is required by the Developer Portal; hence those values should not be removed.

If the administrator wants to allow to load script from another domain, such as abcd.com , and a font from coolfonts.com, then the administrator will add *.abcd.com in the script-src directive and *.coolfonts.com in font-src directive of the example and set the entire text as a new content security policy.

August 4, 2020

Changes in Functionality

There is a change in the way error messages are displayed to the user. The error message is now more informative with service key and endpoint key information and a hyperlink pointing to existing endpoint.  Also a single message is now displayed for all the conflicting HTTP verb instead of one error message for each verb. 

July 30, 2020

Improvements

The OAuth 2.0 Token Authentication connector has been updated with the following improvement:

  • Support of configurable parameter Enable_Error_Set to control error response code sent by TIBCO Mashery.

    If Enable_Error_Set is configured as "true", TIBCO Mashery responds with ERR_403_NOT_AUTHORIZED in place of ERR_401_UNAUTHORIZED. In this case http response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center.

    If Enable_Error_Set is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_401_UNAUTHORIZED for backend server response code with 401 for unauthorized calls.

    Enable_Error_Set parameter value with "true" is case-insensitive.

July 21, 2020

Enhancements

General performance and stability improvements (WA-11046, WA-10992, WA-10843, WA-10786, WA-9402).

Closed Issue

  • WA-11039 - While persisting Swagger 2.0 documents, a publicly-available schema document was relocated to a different URL location. Access to this schema document is not required to validate the document, so the reference to this URL has been removed.

July 7, 2020

New Features

  • Previously, there was no option to re-parent a Portal Access Group role, once it was created. Now, you can re-parent an existing Portal Access Group role, by going to the edit page of Portal Access Groups, and re-parent it to any other organization or area level based on the permission of the user.
  • RFC compliance for handling cache logic has been implemented.

Enhancements

UI improvements (Plan Designer page) and performance enhancements in API Control Center dashboard.

Closed Issues

  • EIN-1052 - Several POST,PUT,DELETE requests failed to return the correct response.
  • EIN-4445 - GET response that was cached was being returned for POST, PUT, DELETE, PATCH and OPTIONS calls to the same endpoint
  • WA-8858 - Improved session management for TIBCO Cloud enabled Mashery subscriptions. Users will no longer risk being logged out of the API Control Center when their session in TIBCO Cloud is left unused, assuming they are actively using the API Control Center.
  • WA-10868 - If the 50 most recently created or updated records in the Organizations list were Sub organizations, the "New organization" button was getting hidden. This is now resolved and the button will not be hidden. 
  • WA-10906 - The drop-down value for HTTPS Client Profile went blank or changed to a previous value.
  • WA-11009 - Endpoint address not shown in Load Balancing menu in API Definition configuration.

July 2, 2020

Improvements

The OAuth Token Authentication connector has been updated with the following improvement:

  • Support for strict case sensitive method for GET and POST calls to third party OAuth2.0 Auth server token validation endpoint. HTTP Verb must be case-sensitive and supported that way in compliance with RFC 7231 guidelines. https://tools.ietf.org/html/rfc7231#section-4

The HTTP Basic Authentication Connector has been updated with the following improvements:

  • Support of 401 (Unauthorized) status code and WWW-Authenticate header field for an empty Authorization header in HTTP Basic Authentication Connector. Improvement is in compliance to RFC https://tools.ietf.org/html/rfc7617 for an empty authorization header in API request needed for HTTP Basic Authentication.
  • Optional configuration parameter to keep TIBCO Cloud Mashery proxy platform response codes for backward compatibility.

June 11, 2020

New Features

REST <-> SOAP Transformation Connector

The REST <-> SOAP Transformation Connector is now available. This Connector supports the transforming of API request payload from REST(JSON) to SOAP and transforming backend SOAP response into REST(JSON). Also, supports RESTful POST messages only for transformation.

OAuth2.0 Token Authentication Connector

The OAuth2.0 Token Authentication Connector is now available. This Connector supports securing APIs in TIBCO Mashery using third party IDP based OAuth2.0 access token. Features include:

  • Ability to configure up to ten OAuth2.0 introspection endpoints per service endpoint for token validation using any third party IDP.
  • Conditional pickup of introspection endpoint for token validation based on incoming meta data for geo-distributed API services.
  • Ability to enrich API request header with meta data that can be returned after successful token validation.

June 2, 2020

New Feature

TIBCO Cloud Mesh

TIBCO Cloud Mesh allows you to discover any private REST endpoint exposed within TIBCO Cloud domains, within your organization or related organizations.

Authentication and authorization for these private endpoints is provided automatically. You can browse available services and select one, rather than copying and pasting a URL.

For more information, see Creating an Endpoint using TIBCO Cloud Mesh.

Closed Issue

WA-10959 - Resolved issue wherein links on API Control Center > Manage > Portal > General redirected to blank pages.

May 28, 2020

New Feature

Sensitive Data Field Masking for Call Log Export

Call Log Export (ECLE) Masking feature allows customers to mask some or all characters in sensitive fields such as API Key and OAuth token in both new and existing ECLE profiles. Customers must update ECLE profile in order to activate for existing exports.

For more information, see Call Log Export Setting.

May 21, 2020

Enhancement

Updated API Policy Connector

The following improvement was made in the API Policy Connector.

  • Supports 'Effect' factor that drives 'Allow' or 'Deny' behavior on match policy.

May 12, 2020

Closed Issues

WA-10860 - API Control Center threw a duplicate endpoint error when "/" was included at the end of the request URL path.

Enhancement

WA-10604 - Revised the UI text in API Control Center for the "Remove API Key and Signature from Endpoint Call" feature for clarity of actual function.

May 11, 2020

New Features

JWT Authentication Connector

The JWT Authentication Connector is now available. This Connector supports match policy to allow additional validation based on JWT claims value.

OAuth2JWT Authentication Connector

The OAuth2JWT Authentication Connector is now available. This Connector supports match policy to allow additional validation based on JWT claims value.

API Policy Connector

The API Policy Connector is now available. This Connector allows you to apply policies to change the behavior of the API through configuration. Currently supports Request, Response and third party JWT object context.

Additional features of this Connector:

  • Third party JWT Claims Verification Policy. Supports JWT token object context.
  • Third party JWT Signature Verification Policy. Supports JWT token object context.
  • API Payload Attribute Match Policy. Supports Request and Response object context. API policy for finding payload attribute and applying match. Support JSONPath (JSON Payload) and XPath expression (XML Payload).
  • API Request and Response object context based match policy. Supports match keywords using operation ContainsAny, ContainsAll, JSONPath and XPath.

Closed Issues

WA-10798 - Conflict when creating a public endpoint resolved.

April 2, 2020

Enhancements

Updated XML <-> JSON Transformation Connector  

The following improvements were made in the XML <-> JSON Transformation Connector.

  • Support optional charset check in the application/json Content-Type header for accurate JSON → XML transformation. 
  • Support overriding default Connector error messages with APICC configured custom error messages using an optional flag 'override_custom_error_message'.

Updated SOAP <-> REST Transformation Connector

The following improvements were made in the SOAP <-> REST Transformation Connector.

  • Support accurate caching of POST request having XML payload with namespace.
  • Support overriding default Connector error messages with TIBCO Mashery Control Center configured custom error messages using an optional flag 'override_custom_error_message'.

Updated SOAP Cache Connector

The following improvement was made in the SOAP Cache Connector. Support accurate caching of POST request having XML payload with namespace.

Updated REST Cache Connector

The following improvement was made in the REST Cache Connector. Support accurate caching of POST request having XML payload with namespace.

March 24, 2020

Closed Issues

  • WA-10685 - Mashery provided OAuth Token endpoint was returning “Service Not Found” during CORS pre-flight call.
  • WA-10618 - Resolved ACL consistency between API and Dashboard.

March 20, 2020

Changes in Functionality

Updated IP Blocking Connector

Following improvements were made in this Mashery Connector:

1. The IP Blocking Connector has been improved to accurately identify Client IP addresses for blocking feature.

2. Connectors now supports overriding default behavior of X-FORWARDED-FOR header to pick client IP address using a configurable flag keep_client_ip_as_source. This flag overrides default selecting IP address of intermediaries like load balancer or third party proxy that is closest to the Mashery stack.

March 19, 2020

Changes in Functionality

Updated IP Whitelisting Connector

Following improvements were made in this Mashery Connector:

1. The IP Whitelisting Connector has been Improved to accurately identify Client IP addresses for whitelisting feature.

2. Connectors now supports overriding default behavior of X-FORWARDED-FOR header to pick client IP address using a configurable flag keep_client_ip_as_source . This flag overrides default selecting IP address of intermediaries like load balancer or third party proxy that is closest to the Mashery stack.

New Feature

REST Cache Connector

New Mashery Connector, REST Cache Connector, supports caching of REST POST requests, which allows requests that have the same payload and configured headers value to be served from the cache.

March 10, 2020

New Feature

Organization-related information (Org/SubOrg Name & UUID) synchronized to Mashery Local for inclusion in logs is now available through Log Service.

February 27, 2020

New Features

SOAP Cache Connector

New Mashery Connector, SOAP Cache Connector, supports caching of SOAP with POST requests, which allows requests that have the same payload and configured headers value to be served from the cache.

Ping Auth Connector

New Mashery Connector, Ping Auth Connector, consists of the following:

January 21, 2020

New Features

  • Normalize Audit History timezone from PDT to GMT.
  • Support hyphen and underscore in Organization and Sub-Organization names.

Closed Issues

  • WA-10600 - Enum values not honored during ‘try it now’ with Swagger 2.0 on Interactive Documentation resolved. 
  • WA-10380 - Manually-entered parameter values were reverting to defaults in interactive documentation.
  • WA-9635 - Page content was blank in CMS on page load.
  • WA-9903 - Second use of authorization resulted in “Unknown security definition type http” error.

January 9, 2020

New Features

XML <-> JSON Transformation Connector

New Mashery Connector, XML <-> JSON Transformation Connector,  supports transforming an API request payload from XML to JSON and vice versa.:

SOAP <-> REST Transformation Connector

New Mashery Connector, SOAP <-> REST Transformation Connector, supports transforming API request payload from SOAP message to REST(JSON) and vice versa.

November 12, 2019

New Feature

In an effort to simplify Domain whitelisting, the Control Center has been modified to not allow IP addresses to be specified when adding whitelisted domains. A warning message is displayed if an IP address is specified.

November 5, 2019

Closed Issue

WA-10256 - Removal of replacement variables in New Member Registration email were being appended to Email regardless of the configured template. This has been fixed.

November 1, 2019

Closed Issue

WA-10439 Developer-facing Reporting and CSV download on Developer Portal returning 404 page not found.

October 10, 2019

New Feature

Time stamp of last login for Developer Portal user now exposed on the member record, accessible via API Call.

July 3, 2019

Closed Issue

RPT-3250 - Unable to create Amazon S3 bucket path for Enriched Call Log Export (ECLE).

June 19, 2019

New Feature

Geo Target Routing Connector updated in the TIBCO Cloud™ Mashery - Connectors Guide.

Mashery Connectors are TIBCO Mashery's Cloud feature plugins and extensions that have been developed and available out of box for Mashery Cloud customers. Connectors have been carefully envisioned to address common use-cases such as: content injection, content filtering, content transformation, call authentication using third-party IDP, IP-based call filtering, domain-based routing, geo-location based routing and HTTP header manipulation.