Release Notes

These release notes list and describe the new features, enhancements, and resolved issues in NGINX Management Suite API Connectivity Manager.

1.5.0

3/28/2023

Upgrade Paths

API Connectivity Manager 1.5.0 supports upgrades from these previous versions:

• 1.2.0–1.4.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Runtime state sharing in an API gateway or Developer Portal

  Administrators can use cluster-wide policies to configure uniform settings across all instances in the cluster, such as worker connections, hash table size, and keepalive settings, to optimize performance. Furthermore, using the Cluster Zone Sync policy, the cluster can be configured to share the runtime state and sync data across all instances, allowing for cluster-wide rate limits and sticky sessions.

• Use role-based access control for enhanced security and governance

  With new built-in RBAC roles for API Connectivity Manager, administrators can grant or restrict user access to workspaces and features, empowering teams to manage their own workflows.

  See Also:
  

  • Set Up RBAC for API Owners
  • Set Up RBAC for Infra Admins

• Secure handling of sensitive data

  API Connectivity Manager now provides enhanced security for sensitive data, including credentials used in APIKeys, Basic Auth, OAuth2, and JWT policies. All secrets are stored in a secure Vault and encrypted for added protection.

• Multiple hostname support

  Proxy clusters can be shared across multiple environments (hostnames).

• Improved certificate handling

  API Connectivity Manager will not generate new certificates if any have already been specified in the TLS policy; instead, ACM will reference the existing certificates. In this way, wildcard certificates may be employed.

• Add a Health Check policy to your gRPC proxy to ensure optimal performance

  The gRPC proxy can be enabled with a Health Check policy, allowing it to check the health status of backend gRPC services and route requests accordingly.

• Performance improvements for the web interface

  A number of improvements have been made to how the web interface queries the backend services when fetching data.

Security Update

Important:
For the protection of our customers, NGINX doesn’t disclose security issues until an investigation has occurred and a fix is available.

This release includes the following security update:

• Instance Manager vulnerability CVE-2023-1550

  NGINX Agent inserts sensitive information into a log file (CVE-2023-1550). An authenticated attacker with local access to read NGINX Agent log files may gain access to private keys. This issue is exposed only when the non-default trace-level logging is enabled.

  NGINX Agent is included with NGINX Instance Manager, and used in conjunction with API Connectivity Manager and the Security Monitoring module.

  This issue has been classified as CWE-532: Insertion of Sensitive Information into Log File.

  Mitigation

  • Avoid configuring trace-level logging in the NGINX Agent configuration file. For more information, refer to the Configuring the NGINX Agent section of NGINX Management Suite documentation. If trace-level logging is required, ensure only trusted users have access to the log files.

  Fixed in

  • NGINX Agent 2.23.3
  • Instance Manager 2.9.0

  For more information, refer to the MyF5 article K000133135.

Changes in Default Behavior

API Connectivity Manager 1.5.0 has the following changes in default behavior:

• ACL IP Policy denies IP addresses by default

  Updates the ACL IP policy to deny IP addresses by default instead of allowing them by default.

Resolved Issues

This release fixes the following issues. Select an issue’s ID link to view its details.

• Configurations aren’t pushed to newly onboarded instances if another instance is offline (40035)

• The Proxy Cluster API isn’t ready to be used (40097)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.4.1

February 2, 2023

Upgrade Paths

API Connectivity Manager 1.4.1 supports upgrades from these previous versions:

• 1.1.0–1.4.0

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Stability and performance improvements

  This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issue. To view the history for an issue, see the Known Issues list.

• Cluster and Environment deletion issues when Portal Docs are published (40163)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.4.0

January 23, 2023

Upgrade Paths

API Connectivity Manager 1.4.0 supports direct upgrades from these previous versions:

• 1.1.0–1.3.1

If your installed version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release features the following updates:

• OAuth2 Introspection policy now supports token claim verification

  API admins can configure an OAuth2 Introspection policy with token claim verification. If the value of an introspected token claim matches the values in the policy configuration, the request will be allowed to proceed to the backend. If not, the request will be denied, and 403 Forbidden will be returned.

• Adds support for NGINX Plus R28

  API Connectivity Manager 1.4.0 is compatible with NGINX Plus R28. For requirements related to NGINX Management Suite and API Connectivity Manager, please refer to the Technical Specifications guide.

• Allow or deny access to APIs for specified consumers

  Control access to APIs to prevent unauthorized requests from designated consumers.

Resolved Issues

This release fixes the following issues. To view the history for an issue, see the Known Issues list.

• OIDC policy cannot be applied alongside a proxy authentication policy (39604)

• A JWT token present in a query parameter is not proxied to the backend for advanced routes (39328)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.3.1

December 16, 2022

Upgrade Paths

API Connectivity Manager 1.3.1 supports upgrades from the following versions:

• 1.0.0 – 1.3.0

If you are using an older version of API Connectivity Manager, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

• This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues:

• Developer Portal backend information is unintentionally updated when editing clusters within an environment (39409)

• The web interface doesn’t pass the enableSNI property for the TLS backend policy (39445)

• The Inbound TLS policy breaks when upgrading from API Connectivity Manager 1.2.0 to 1.3.0. (39426)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.3.0

December 12, 2022

Upgrade Paths

API Connectivity Manager 1.3.0 supports upgrades from the following versions:

• 1.0.0 – 1.2.0

If you are using an older version of API Connectivity Manager, you may need to upgrade to an intermediate version before upgrading to the target version.

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Configure access-controlled routing

  API lifecycle management requires routing API traffic with fine-level control, which is something that token-based authentication schemes that leverage JWT claims do well. Permissions can be encoded as custom claims in the token. Then, once the API proxy validates the token (JWT), it can access all the fields in the token as variables. Decisions can be made based on matching the claims.

  • Applying Fine-Grained Access Control

    API Owners can apply fine-grained access control and restrict access to their APIs based on specific claims in the token. The policy can be configured to enforce fine-grained control for specific routes or be fine-tuned to support particular methods per route.

  • Header-Based Routing

    Routing decisions can be made based on headers in the incoming requests. API owners can configure rules and conditions that must be matched before routing requests.

  See Configure Access Control Routing to learn how to restrict access to your application servers based on JWT claims or header values.

• Use the web interface to publish and manage gRPC services

  With ACM 1.2, we introduced support for publishing and managing gRPC services. Now, in this release, we extend that capability to the web interface.

  You can secure gRPC services with the following policies:

  • gRPC environment policies

    • Error Response Format
    • Log Format
    • Proxy Response Headers
    • Request Body Size Limit
    • Request Correlation ID
    • TLS Backend
    • TLS Inbound

  • gRPC proxy policies:

    • ACL IP Restriction
    • APIKey Authentication
    • Basic Authentication
    • GRPC Backend Config
    • JSON Web Token Assertion
    • OAuth2 Introspection
    • Proxy Request Headers
    • Rate Limit

• Secure communication between ACM and Developer Portal with mTLS

  ACM communicates with the Developer Portal host to publish API docs and create API credentials. Now, PlatformOps can secure this communication channel by enabling mTLS between the hosts.

  Previously, mTLS required a TLS backend policy on the internal portal proxy cluster. ACM 1.3 removes that restriction. The TLS inbound policy on the internal portal allows providing a client certificate for ACM when mTLS is enabled. ACM presents this client certificate when connecting to the Developer Portal, identifying itself as a trusted client.

• Other Enhancements

  • Improved policy layout

    The Policy user interface has been improved with highlights for the different policy sections.

  • NGINX Management Suite config changes are preserved during upgrade

    Upgrades no longer overwrite customized configurations unless instructed to by the user.

  • Support for chained certificates

    Infrastructure administrators can now upload public certificates in PEM format, along with an optional list of intermediate certificates for validating the public certificate.

  • Support for SNI requirements from hosted services

    API owners can now use the OAuth2 policy with hosted Identity Provider services that enforce Server Name Indication (SNI).

Resolved Issues

This release fixes the following issues:

• No validation when conflicting policies are added (34531)

• Installing NGINX Agent on Ubuntu 22.04 LTS fails with 404 Not Found error (35339)

• New users are unable to see pages even though they have been given access. (36607)

• Portals secured with TLS policy require additional environment configuration prior to publishing API docs (38028)

• The user interface is erroneously including irrelevant information on the TLS inbound policy workflow (38046)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.2.0

October 18, 2022

Upgrade Paths

API Connectivity Manager 1.2.0 supports upgrades from these previous versions:

• 1.0.0 – 1.1.1

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

• Secure API access with OAuth2 tokens

  API Owners can restrict access to their APIs with OAuth2 tokens by swapping an opaque token for claims or a JWT token to be proxied to the backend service. The policy can be configured to grant access to APIs after having the tokens introspected. In addition, the claims in the token can be extracted and forwarded to the backend service.

  Tip:
  Learn how to set up an OAuth2 Introspection policy with Keycloak as the authorization server.

• Restrict access to APIs based on IP address

  Using the ACL-IP policy, API owners can now restrict access to APIs based on IP addresses. APIs can be protected by quickly blocking rogue requests from certain IPs or allowing access to only known IPs.

• Support for HTTP/2

  To improve the performance and efficiency of client-server interactions, HTTP/2 can be enabled on the API proxies. With HTTP/2 enabled, API Proxies will continue to maintain backward compatibility with older browsers.

• Publish and manage gRPC services - preview release

  Important:
  This is a preview feature for you to try out. You shouldn’t use preview features for production purposes.

  To handle gRPC traffic, you can now publish and manage gRPC proxies.

  Publish gRPC proxies and route gRPC traffic to support the following use cases:

  • Simple RPC (single request‑response)
  • Response‑streaming RPC
  • Request‑streaming RPC
  • Bidirectional‑streaming RPC
  • Route to all services in a gRPC service package
  • Route to a single gRPC service
  • Route to individual gRPC methods
  • Route to multiple gRPC services
  • Respond to errors with custom gRPC error response format policy

• Out-of-the-box protection for Developer Portals

  Developer Portals are now deployed with out-of-the-box protection against rapid requests/overuse and server fingerprinting:

  1. Protection against server fingerprinting

     The proxy response header policy is now applied by default to a Developer Portal. The default policy disables server tokens from being returned in the proxy response.

  2. Protection against rapid requests and over-use

     To protect the portal application, the default rate limit policy limits the number of requests a client can make in a time period. Platform admins can customize the policy to meet their SLAs.

• Support for multi-host deployment pattern for Developer Portals

  Developer Portals can support multiple deployment patterns. The portal backend API service can be scaled to multiple hosts and can be load-balanced using host IP addresses or internal DNS.

  To support the deployment patterns, configs -> proxyConfig -> backends object has been introduced in the Portal Proxy runtime. The existing backend object in the proxyCluster object of the Portal Proxy runtime is being deprecated and will not be available in the next major release version.

• Enhanced API documentation on Developer Portals

  The API documentation published to the Developer Portal now displays detailed security schema information for each API.

• Express API payload size with unit of measure

  The maximum allowed size for the client request body can now be configured in bytes, kilobytes(K) or megabytes(M).

  The maxRequestBodySizeLimit attribute of the policy is deprecated and will be removed in the next major API Connectivity Manager release. Size is the new attribute that supports bytes, megabytes(M), and kilobytes(K). The default setting is 1M.

• Database backup included in support packages

  The Developer Portal support package now includes the option to back up the PostgreSQL database.

• Improved visualizations for resource credentials

  API owners can now view the origin of resource credentials. The source field indicates where the credentials were created. For security reasons, the credentials created on the Developer Portal will be masked, but the API owners can view the origin of the resource credentials.

Resolved Issues

This release fixes the following issues. To view the history for an issue, see the Known Issues list.

• To see updates to the Listener’s table, forced refresh of the cluster details page is required. (36540)

• Using labels to specify the backend is partially available. (36317)

• Ratelimit policy cannot be applied with OAuth2 JWT Assertion policy. (36095)

• Unable to delete an environment that is stuck in a Configuring state. (35546)

• Enums are not supported in Advanced Routing. (34854)

• Credentials endpoint is disabled by default. (35630)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.1.1

August 31, 2022

Upgrade Paths

API Connectivity Manager 1.1.1 supports upgrades from these previous versions:

• 1.0.0 – 1.1.0

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

• This release includes stability and performance improvements.

Resolved Issues

This release fixes the following issues. To view the history for an issue, see the Known Issues list.

• Advanced routing ignores the Context Root setting for backend proxies (36775)

• Traffic is not secured between the API Proxy and backend servers (36714)

• OIDC policy doesn’t work with Auth0 Identity Providers (36058)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.1.0

August 18, 2022

Upgrade Paths

API Connectivity Manager 1.1.0 supports upgrades from these previous versions:

• 1.0.0

See Also:
Refer to the Upgrade Guide for important information and steps to follow when upgrading API Connectivity Manager.

What’s New

This release includes the following updates:

• Advanced Cluster Management

  Including more than one proxy cluster with the same hostname in an environment replicates configuration across all clusters and assists with blue-green deployments. With advanced cluster management, you can use a load balancer in front of the clusters to slowly move to the newer version of the API gateway. For example, one cluster may belong to NGINX Plus version R26 and another to R27. See the Technical Specifications.

• Advanced Routing feature is available now

  Advanced routing feature is available now. You can use it to publish an API Proxy and route specific URIs/endpoints precisely to a backend service. Advanced routing with OAS Specification allows you to import a specification file, parse all the URIs/endpoints in the file and publish API proxy by routing each URI/endpoint precisely to a backend service. To use the advanced routing feature without an OAS specification file, add the URI/endpoints while publishing the API proxy. See the Advanced Configurations section.

• SQLite is supported for Developer Portal

  SQLite is now supported as a database for Developer Portal installations.

• Support for NGINX Plus Release 27 (R27)

  This release supports NGINX Plus Release 27 (R27) version for Data Plane instances. See the Technical Specifications.

Resolved Issues

This release fixes the following issues. To view the history for an issue, see the Known Issues list.

• JWT Assertion policy accepts an empty string value for tokenName property (35419)

• Environment is in a premature success state even though all proxy clusters may not be onboarded (35430)

• Cannot add, remove, or edit proxy clusters from an environment that has a published API proxy (35463)

• Features in the web interface are not displayed after uploading license (35525)

• DEVPORTAL_OPTS in /etc/{default,sysconfig}/nginx-devportal does not work if value has multiple words (36040)

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.

1.0.0

July 19, 2022

What’s New

This release introduces the following features:

• Create and manage isolated workspaces for business units, development teams, etc., so each team can develop and deploy at its own pace without affecting other teams.
• Create and manage API infrastructure in isolated workspaces.
• Create and manage production and non-production environments within team workspaces and control who can access APIs at various lifecycle stages. For example, keep APIs under development private and publish production-ready APIs for public access.
• Enforce uniform security policies across all workspaces by applying global policies.
• Create Developer Portals that align with your brand, with custom color themes, logos, and favicons.
• On-board your APIs, publish to an API gateway, and publish your API documentation to the Developer Portal.
• Let teams apply policies to their API proxies to provide custom quality of service for individual applications.
• On-board API documentation by uploading an OpenAPI spec.
• Publish your API docs to a Developer Portal without giving the public access to your API.
• Monitor system and traffic metrics at the instance level.
• Self-service credential issuance for API Keys and Basic Authentication.
• Test API calls to your system using the “Try it out” feature in the Developer Portal.

Known Issues

• You can find information about known issues with API Connectivity Manager in the Known Issues topic.