NetIQ Secure API Manager 2.0 Patch Update 1 Release Notes

Issue: The Access Manager Administration Console does not display any options for the API Gateway to configure Secure API Manager. Or, you previously were able to use the configuration options in the Administration Console and the options have disappeared.

Solution: You must install a trial license or a full license for Secure API Manager in Access Manager to have the configuration options appear. The trial license is included with Access Manager, but you must install the trial license for the options to appear. After 91 days, the trial license expires and the configuration options no longer appear in the Administration Console unless you purchase and install a full license.

Issue: You cannot access the Publisher or the Store appmarks on the user portal page.

Solution: By default, no one is assigned rights to access the Publisher or the Store. You must ensure that the user account on the Identity Server that wants to access the Publisher or the Store contains the proper role assignments that grant access to the Publisher and the Store. For more information, see Grant Access to the Publisher and the Store in the NetIQ Secure API Manager 2.0 Administration Guide.

Issue: The Store fails to create an OAuth client during the subscription process to an API.

Solution: Ensure that your OAuth configuration is complete in Access Manager. If you do not perform all four steps required to enable and configure OAuth in Access Manager, Secure API Manager cannot complete the subscription process for the APIs. For more information, see Configuring OAuth and OpenID Connect in the NetIQ Access Manager 5.0 Administration.

Issue: If you upgrade Access Manager to the 5.0 version, by default Access Manager creates new certificates but the calls to the different components are still using the old certificates.

Solution: Replace the certificate for the Administration Console with a current certificate that contains the proper DNS name in the certificate. For more information, see Viewing Certificate Details in the NetIQ Access Manager 5.0 Administration.

Issue: You have deleted the VMware image of the appliance but you did not delete the associated API Gateway object from the Administration Console. You then redeployed another appliance and you use the same IP address and DNS name of the first appliance. The API Gateway is not working as it should. It is not allowing authentications and you cannot access it.

Solution: Delete the API Gateway object from the Administration Console, then delete the appliance from VMware. Next, redeploy the appliance and proceed as normal. Access Manager retains the configuration information including certificates of the API Gateway if you do not delete the API Gateway. This causes issues if you redeploy the appliance with the same network configuration as the last time. For more information, see Uninstalling a Single API Gateway in the NetIQ Secure API Manager 2.0 Installation Guide.

Issue: APIs that use the URI to direct traffic, for example behind an L7 switch, are not supported.

Solution: Allow the API to be resolved to an IP address and then the functionality provided in the API works.

Issue: When you create an API, you add the certificate for the backend service’s server in PEM format. Secure API Manager validates the SSL certificate chain for you when you save the API and it returns a 404 error. The issue is that the backend service server is not using a well-known certificate authority and that the Trusted Root is not configured properly. (Defect 319146)

Solutions: If the backend service server is using well-known certificate authority, you do not have to configure a Trusted Root for the API. If the backend service server certificate authority is not well known, you must configure a Trusted Root for the backend service in the API. Secure API Manager requires that the Trusted Root be configured in one of three specific ways. If the Trusted Root is not configured properly, the Validate SSL Chain option returns a 404 error. For details about the specific ways to configure the Trust Root, see Overview of the Backend Service SSL Validation Process in the NetIQ Secure API Manager 2.0 API Help.

Issue: Secure API Manager provides cloning to simplify creating the next version of your API. The cloning process automatically increments the version number of the API for you. The best practice when you use cloning is to clone the API and then deprecate the original API. Secure API Manager does not allow you to clone an API more than once to ensure that you do not have duplicate APIs in your system. (Defect 316107)

Solution: The best practice is to clone an API and then deprecate the original API. If you need to clone the API again, clone the cloned API and then deprecate the first clone.

Issue: Secure API Manager requires unique API endpoints to work properly. If you add the same API Gateway to a second API Gateway cluster, Secure API Manager does not work. (Defect 314243)

Solution: Ensure that you add the API Gateway only once to an API Gateway cluster. Also, ensure that you either use an IP address or a DNS name. Do not use both options when you configure the API Gateway.

Issue: Browsers use the OPTION method to determine if CORS is allows. API Gateway reserves all OPTION methods for CORS functionality. Secure API Manager cannot protect any APIs that use the OPTION methods. (Defect 317074)

Workaround: Do not use the OPTION method when creating APIs. If you do, the CORS feature does not work. We have reserved the OPTION method for CORS for this release. For more information about when you select the appropriate REST methods, see Define a Method in the NetIQ Secure API Manager 2.0 API Help.

Issue: If you configure you backend service using one of the following scenarios, there are SSL issues between the API Gateway and the backend service. (Defect 318180)

Workaround: Use a non-SSL connection to the backend service or, for this release, do not use any of these configuration options. There is no other workaround at this time.

Issue: In the Publisher, when you view the APIs in the table layout, the Actions menu options overlap other options. All of the options do not appear at the same time. It appears as if some of the options are missing. (Defect 315071)

Workaround: Use the small scroll bar for the Actions menu to view all available options.

Issue: In the Access Manager Dashboard, the Devices option at the top of the page does not contain an option for the API Gateway. (Defect 282422)

Workaround: You must click the API Gateway tile to configure Secure API Manager. Currently, there is no option to add an API Gateway under Devices.

Issue: Secure API Manager administrators can delete the limiting policies at any time. Secure API Manager does not check to see if the APIs that use the limiting policy have subscriptions. This means that if a limiting policy is deleted, the APIs that are currently using the limiting policy continue to use the policy until the API developers remove the subscription to the limiting policy. (Defect 314089)

Workaround: If you delete the limiting policy, you must also check the subscriptions and remove the subscriptions to the limiting policy. Otherwise, no workaround is currently available for this issue.

Issue: If there are APIs assigned only to a custom limiting policy, and that custom limiting policy is deleted, the APIs no longer have a limiting policy assigned. This results in the APIs having unlimited bandwidth or allowing unlimited requests. (Defect 316067)

Workaround: No workaround is currently available for this issue.