Known Issues
gateway83
Decode JSON Web Token Assertion Unaffected by Invalid JWT Signature
Issue:
The Decode JSON Web Token Assertion does not fail when an invalid JSON Web Token (JWT) signature is detected. Although this behavior is by design, some users may construct policies assuming that an invalid JWT signature causes the assertion to fail. (DE292005)Workaround:
To ensure that policy processing stops when an invalid JWT signature is detected, place a Compare Expression Assertion immediately following the Decode JSON Web Token Assertion and have it test for ${<prefix>.valid}
= true. If the JWT signature fails, ${<prefix>.valid}
returns 'false' causing the Compare Expression Assertion to fail.The instructions below describe how to identify all occurrences of the Decode JSON Web Token assertion, how to configure the Compare Expression assertion and where to place it in your policy.
How to Identify Instances of the "Decode JSON Web Token Assertion"
Do the following steps to identify all policies that contain a Decode JSON Web Token Assertion:
- Access a privileged shell.
- Run the following command:# mysql ssg -u gateway -p -e "select name from policy where xml like \"%L7p:DecodeJsonWebToken%\""
- Make note of the results. They list all the policies and services that contain the assertion.
- Log in to the Policy Manager either as the administrator or as someone with permissions to modify all policies/services.
- Open a policy that is identified by the MySQL command above.
- Press Ctrl-F to invoke the Search bar and then type "Decode JSON Web Token” to show all instances of the assertion in the policy.
- Click a search hit to go to the line in the policy.
- Add the Compare Expression Assertion in the appropriate place. This is described next.
How to Configure the Compare Expression Assertion
Configure the Compare Expression Assertion to test whether the
${
<prefix>
.valid}
context variable is 'true', where the "<prefix>" is defined in the Decode JSON Web Token Assertion. For example, if the prefix is 'output', you define the comparison: ${output.valid} == true
. The properties dialog should look like this:
Where to Place the Compare Expression Assertion
Where you place the Compare Expression Assertion depends on the policy logic in use at the branch. These are the main scenarios:
- Decode JSON Web Token Assertion in Default Policy:In this case, simply place the Compare Expression assertion immediately after the Decode JSON Web Token assertion.
- Decode JSON Web Token inside an ‘All assertions must evaluate to true’ Assertion:Similar to the above, place the Compare Expression assertion within "All assertions...", immediately following the Decode JSON Web Token assertion.
- Decode JSON Web Token inside an ‘At least one assertion must evaluate to true’ Assertion:In this instance, enclose both the Decode JSON Web Token and Compare Expression assertions within a new "All assertions must evaluate to true" assertion.Before:At least one assertion must evaluate to true...Decode JSON Web Token...After:At least one assertion must evaluate to true...All assertions must evaluate to true...Decode JSON Web TokenCompare Expression...
How to Modify OTK Policies
For detailed instructions on how to modify your OAuth Took Kit policies, please refer to "Release Notes" in the CA API Management OAuth Toolkit online documentation.
ESM Report Error
When you generate a report, you may get an error message under
Generated Reports
, Status=FAILED
, Status Detail=Error creating report style template
. (EM-1040)Transfer-Encoding Processing during HTTP(S) Routing
Prior to Release 8.3, any transfer-encoding header added to the response by a policy is ignored if the
API Gateway
does its own response transfer-encoding handling. As of Release 8.3, a policy may perform its own response transfer-encoding handling by encoding the response body and adding the transfer-encoding header. If this header is present in the response after the policy completes, the Gateway's built-in transfer-encoding processing will be suppressed. (SSG-10755)File Permissions After a Restore
Some file permissions may not be correctly restored after a Gateway is restored using the
ssgrestore.sh
command, resulting in the Policy Manager being unable to connect to the API Gateway
. To correct this, see "Problem: Gateway is not running properly after a restore" in Troubleshoot. (SSG-9735)Assertion Outcome during HTTP(S) Routing
The [Other] tab in the HTTP(S) Routing Properties contains the control [
Never fail as long as target returns an answer
]. There is a known issue that can still cause the assertion to fail even when an answer is returned under the following scenario:- In the [Security] tab, the Service Authentication is “Use HTTP Credentials from Request”.
- The backend services returns a 401 HTTP error.
To prevent assertion failure in this scenario, use “Specify HTTP Credentials” as the Service Authentication method instead. Specify the username and password as context variables from the request (i.e.,
${request.username}
, ${request.password}
). (SSG-5372)Connection Timeout during SSH Routing
There is a known issue in the
Route via SSH
assertion that causes the connection timeout to be twice as long as the value specified in the assertion when the SFTP protocol is selected. (SSG-5116)Non-CA Custom Assertions May Fail to Load
Customer-developed Custom Assertions created in version 7.1. may fail to load after upgrading to version 8.3 of the CA API Gateway due to a change in the Custom Assertion SDK, causing an “Unknown assertion: CustomAssertion” error to occur.
For detailed information about this issue, see the “Important Note” in the document
Creating CA API Gateway Custom Assertions, v2.2
.Dependency Errors when Deleting OAuth Folder
Deleting an OAuth policy that contains policy fragments serving as backing policies for encapsulated assertions will trigger dependency errors in the Policy Manager. These errors cannot be acknowledged in bulk nor can the deletion be cancelled. For workarounds to avoid this, see "Problem: Deleting OAuth policy creates dependency errors" in Troubleshoot. (SSM-5068)
JDBC Connection Test False Positives
The [Test] button in the JDBC Connection Properties may fail to detect invalid JDBC URLs. This is caused by a problem in a third-party library used by the Gateway.
Workaround:
For MySQL, ensure that the URL is in this format:jdbc:mysql://[host1][:port1][,[host2][:port2]] ...[/[database]]
Note that if a database is defined, it must be preceded by the '/' character.
JSON Schema Validation Unexpected Results
The current version of the CA API Gateway does not support the "format" attribute in JSON Schema V2. This may result in dates not being validated correctly, for example.
Workaround:
If feasible, upgrade to CA API Gateway
v9.3, which supports both JSON Schema Validation V2 and V4. The "format" attribute is fully supported when using V4.