All notable changes to the Zowe API Mediation Layer package will be documented in this file.
-
Feature: OpenTelemetry configuration has been configured with API ML's
SSLContextto handle secure connections to external OTel collectors. (#4537) (a6d6863), closes #4537 -
Feature: OpenTelemetry logging capability has been added to the routing and API ML-bound requests. (#4509) (bff02c5), closes #4509
-
Feature: Users can now configure client and server SSL separately. This change allows API ML to read configuration from the
apiml.service.sslsection with fallback to theserver.sllsection. (#4507) (606d2b3), closes #4507 -
Feature: Properties specifying "required", "additional", and "recommended" has been applied to base signals from API ML OpenTelemetry implementation with defaults. (#4456) (5ee02e6), closes #4456
-
Feature: The Apache license to nodejs and Python enablers has been added. (#4500) (9040130), closes #4500
-
Feature: JVM parameters are now read from the zowe.yaml. (#4485) (dd51ee1), closes #4485
-
Feature: Binding on multiple network interfaces is now supported. Each service can now define a list in configuration value
server.address. (#4457) (581217a), closes #4457 -
Feature: Add Zowe version to the Gateway Homepage (#4569)(4c4b540), closes #4569
-
Bugfix: Enabled API Catalog access with OIDC in single-service deployments. (#4536) (938f023), closes #4536
-
Bugfix: Allowed empty values in the authorization provider setting. (#4585) (a143345), closes #4585
-
Bugfix: Fixed the API ML startup message for HA scenarios. (#4582) (999ea67), closes #4582
-
Bugfix: Cleaned log output for OTel ITs. (#4570) (294f10d), closes #4570
-
Bugfix: Optimized routing by removing unnecessary Caching service calls for sticky session checks. (#4549) (0eb08d4), closes #4549
-
Bugfix: Updated start.sh and configuration scripts to correctly pass multiple bound IP addresses to the API Mediation Layer. (#4578) (7086467), closes #4578
-
Bugfix: Improved single-service caches using Infinispan. (#4548) (6ec2a1e), closes #4548
-
Bugfix: Enabled configuration of Infinispan storage segments to allow for a reduced number of index files. (#4521) (d4b3c87), closes #4521
-
Bugfix: Fixed propagation of the apiml.debug property in start.sh. (#4540) (fd34334), closes #4540
-
Bugfix: Improved debugging capabilities for JWTs. (#4516) (3703e08), closes #4516
-
Bugfix: Switched the default WebSocket client from Netty to Tomcat to resolve failures with rapid split-frame responses. (#4519) (e2371c9), closes #4519
-
Bugfix: Allowed VSAM details to be stored in the apiml and caching-service namespaces. (#4514) (816dab9), closes #4514
-
Bugfix: Added correct styling for Open API 3.1. (#4513) (a97322d), closes #4513
-
Bugfix: Added the default JDK DNS resolver. (#4496) (4d87cc3), closes #4496
-
Bugfix: Fixed schema validation in API ML components. (#4438) (6cde33d), closes #4438
-
Bugfix: Added the Referer header. (#4479) (bb2872b), closes #4479
-
Bugfix: Improved troubleshooting by logging details of certificates ignored during API Layer client authentication through a new shared utility class. (#4415) (8e74e5f), closes #4415
-
Bugfix: Set JVM console encoding to IBM-1047 for Java 21. (#4482) (0a636a4), closes #4482
-
Bugfix: Fixed infinispan configuration, exception handling, and the overall cache operation. (v3) (#4450) (c2133d8), closes #4450
-
Bugfix: Fixed Caching Service stability for single-service deployment (#4544)(215cc5), closes #4544
-
Bugfix: Catch the issues with service unavailable other than the Connect Timeout (#4590)2042eff, closes #4590
-
Feature: Support binding on multiple network interfaces (#4457) (581217a), closes #4457
-
Bugfix: Fix infinispan configuration, exception handling, and the whole cache operation (v3) (#4450) (c2133d8), closes #4450
-
Bugfix: expect 401 on info endpoint (#4460) (cc98e7c), closes #4460
-
Bugfix: disable hostname validation (#4452) (4f546b6), closes #4452
-
Bugfix: Fix error message during the shutdown of the Discovery service (#4390) (4955206), closes #4390
-
Bugfix: Loading jwks with nonstrict certificate validation (#4442) (45de135), closes #4442
-
Bugfix: remove reversecategorize filter from attls (#4441) (2a26ebb), closes #4441
-
Bugfix: AT-tLS in single service mode fixes (#4435) (5e7c275), closes #4435
-
Bugfix: Loading JWKs from z/OSMF (#4432) (d592a4e), closes #4432
-
Feature: Enable opentelemetry for modulith (#4380) (259a2fc), closes #4380
-
Feature: Support keyrings with ICSF keys (#4354) (eeb3ade), closes #4354
-
Feature: Update z/OSMF template to use the SAF provider as default (#4374) (9e8c85c), closes #4374
-
Feature: Support multiple OIDC providers at the same time (#4295) (801927f), closes #4295
-
Bugfix: Add service ID validation (#4375, #4329) (ec4000c. 3a20fef), closes #4375, #4329
-
Bugfix: Certificate chain parsing with Java JCA Hybrid provider (#4376) (cccd895), closes #4376
-
Bugfix: Close expired connections (#4383, #4389) (abb4c58, 0399195), closes #4383, #4389
-
Bugfix: Correct description in API doc (#4348) (79e67dd), closes #4348
-
Bugfix: Environment variable in start.sh for ICSF (#4369) (b607910), closes #4369
-
Bugfix: Fix shell script from #4357 (#4382) (778f45e), closes #4357 #4382
-
Bugfix: Fix Spel expression in case of non-defined variable (#4361) (60c0b83), closes #4361
-
Bugfix: Fix Integration tests to run with SAF auth provider (#4386) (274b424), closes #4386
-
Bugfix: Resolve conflicting beans (#4387) (e551700), closes #4387
-
Bugfix: Fix URLs for onboarding when AT-TLS is enabled (#4169) (fc46df1), closes #4169
-
Feature: Support configurable username field for OIDC tokens (#4300) (f9711b2), closes #4300
-
Feature: Support multiple OIDC providers at the same time (#4295) (686061c), closes #4321
-
Feature: (Onboarding Nodejs Enabler) Expose Eureka class from EurekaClient for better customization control (#4311) (ab71686), closes #4311
-
Feature: Support multi-value OIDC claims for userId mapping (#4308) (d7fbaca), closes #4308
-
Feature: Support Keycloak as OIDC provider in integration tests (#4321) (686061c), closes #4321
-
Bugfix: Respect encoded slashes in redirect header (#4328) (da9ee87), closes #4328
-
Bugfix: OIDC redirectUri default in java code to prevent startup error (#4329) (644c9c9), closes #4329
-
Bugfix: z/OSMF static definition for AT-TLS (#4327) (ca8a9ad), closes #4327
-
Bugfix: Custom Disk Health Configuration to work properly on z/OS (#4269) (808ec13), closes #4269
-
Bugfix: AT-TLS mode without reading keystore (#4271) (67a845b), closes #4271
-
Bugfix: WebClient used in API Catalog does not follow redirects (#4278) (b409870), closes #4278
-
Bugfix: Websocket frame size configuration (#4277) (e3754cb), closes #4277
-
Bugfix: AT-TLS filter in modulith mode and Ltpa2 token (#4285) (ce2acdc), closes #4285
-
Bugfix: Increase stomp tests connection timeout for miniplex (#4296) (802c50b), closes #4296
-
Bugfix: Start caching service with disabled cert verification (#4299) (77f1092), closes #4299
-
Bugfix: Cherry-pick apiml.gateway.servicesToDisableRetry to modulith (#4307) (7a5dae4), closes #4307
-
Bugfix: API ML services log cleanup (#4284) (c30ad60), closes #4284
-
Bugfix: Update modulith version of z/OSMF static definition (#4333) (ae110f4), closes #4333
-
Bugfix: Avoid duplicate startup message (#4339) (b4ef830), closes #4339
-
Bugfix: Keep all gateways registered (#4345) (5a87991), closes #4345
-
Bugfix: Fix of Tomcat customizers to be supported also by reactive framework (#4336) (3bff245), closes #4336
-
Bugfix: Requirement of client certificate on ZAAS call when AT-TLS is used & add AT-TLS support to DC (#4347) (47525ee), closes #4347
-
Feature: New configuration property
apiml.security.forwardHeader.trustedProxiesadded to specify the regular expression pattern used to identify trusted proxies from whichX-Forwarded-*headers are accepted and forwarded. Mitigates CVE-2025-41235. (#4171) (ff8c81d), closes #4171 -
Feature: Support independent response time route setting (#3981) (aba1b0f), closes #3981
-
Feature: Apiml Spring-Modulith based module with ZAAS service (#4108) (738915e), closes #4108
-
Feature: Add check of certificate signing algorithm in Certificate Analyzer tool (#4121) (39274e7), closes #4121
-
Feature: Apiml Spring-Modulith based module with Gateway and Discovery services (#4051) (47c3e60), closes #4051
-
Feature: Certificate validation improvements (#4017) (b45747f), closes #4017
-
Feature: Onboarding Python Enabler (#4068) (3f966f3), closes #4068
-
Feature: Eureka client connection timeout (#4045) (0e3c116), closes #4045
-
Feature: Disable retry for configured services (#4265) (1fbde4c), closes #4265
-
Bugfix: Gateway returns empty auth keys from z/OSMF when
apiml.security.auth.zosmf.jwtAutoconfigurationis set tojwt. (#4108) (738915e), closes #4092 -
Bugfix: Update start.sh settings for caching service (#4226) (328a4c6), closes #4226
-
Bugfix: API ML startup message in modulith mode (#4216) (fbd3356), closes #4216
-
Bugfix: Fix SAF auth check in non-modulith (#4212) (b2ddf07), closes #4212
-
Bugfix: Modulith mode does not distribute logout (#4191) (82b96f5), closes #4191
-
Bugfix: Disable infinispan diagnostics by default (#4157) (d1b6972), closes #4157
-
Bugfix: Fix obtaining public keys if there is unsupported type of key (#4154) (a7d3700), closes #4154
-
Bugfix: Generate git properties file before release build (#4173) (2ce6e5b), closes #4173
-
Bugfix: Release build without cache (#4179) (5898329), closes #4179
-
Bugfix: Remove duplicate log messages (#4147) (d57f9c0), closes #4147
-
Bugfix: Fix detection of connection issue (#4142) (e33d27a), closes #4142
-
Bugfix: Set memory limit for javap (#4141) (fcb021f), closes #4141
-
Bugfix: Config change for Gateway Endlessly Spamming Issue (#4095) (08bd675), closes #4095
-
Bugfix: Adding HSTS header when AT-TLS enabled V3 (#4052) (143d73f), closes #4052
-
Bugfix: Non-strict hostname verification in Jetty client for WebSockets (#4073) (a4768e2), closes #4073
-
Bugfix: Fix SSO issue in the API Catalog (#4070) (fb52fa6), closes #4070
-
Bugfix: Disable hostname verification with nonStrict (#4069) (9046e99), closes #4069
-
Bugfix: Empty username does not cause NPE during PassTicket generation (#4054) (588d030), closes #4054
-
Bugfix: jacoco in jib supports Java 21 (#4060) (92ec601), closes #4060
-
Bugfix: Change error code SERVICE_UNAVAILABLE to INTERNAL_SERVER_ERROR when PassTicket generation fails (6ab6cc3), closes #4047
-
Bugfix: Allow double slash in url (#4030) (6760eed), closes #4030
-
Bugfix: Fix choosing correct client certificate for outbound communication from the Gateway (#4033) (e38d3e1), closes #4033
-
Bugfix: PAT validation log messages (#4036) (d0f5645), closes #4036
-
Bugfix: File log appender for debug profile (#4020) (d176bfd), closes #4020
-
Bugfix: Improve WebSocket message (#4019) (662b7b2), closes #4019
-
Bugfix: Allow special characters in url (#4008) (1a9c4ad), closes #4008
-
Bugfix: Add Authentication header for routed requests (#4000) (a018591), closes #4000
-
Bugfix: Support Authorization header in deterministic routing (#3998) (b630e62), closes #3998
-
Bugfix: Workaround for API Catalog redirect behavior in desktop (#4007) (ed86e0f), closes #4007
-
Bugfix: Add newPassword to the Swagger (#3999) (2b60a62), closes #3999
-
Bugfix: Replace default Spring x.509 Authentication in ZAAS (#3971) (6290b1f), closes #3971
-
Bugfix: Use HA instance ID in path to Infinispan storage location (v3) (#3960) (3627cc9), closes #3960
-
Feature: Override external URL for additional registration (#3935) (d5dd912), closes #3935
-
Feature: Support OIDC token to authenticate in API Catalog (#3925) (a4ead1d), closes #3925
-
Feature: Allows to obtain certificates from multiple sources (#3914) (2e028cb), closes #3914
-
Feature: Rate limit per service (#3903) (cad63cb), closes #3903
-
Feature: Add validate oidc token call to zaas client (#3897) (3f0ac10), closes #3897
-
Feature: Java sample to authenticate with client certificate (#3862) (992deb3), closes #3862
-
Feature: Support client AT-TLS setting (#3828) (75cf96b), closes #3828
-
Bugfix: Make "native" the default SAF authorization provider (#3937) (f4aafe6), closes #3937
-
Bugfix: z/OSMF static definition conversion (#3938) (d998b5a), closes #3938
-
Bugfix: Do not leak 'exampleSetFlag' in api doc (v3.x.x) (#3933) (ee31cd9), closes #3933
-
Bugfix: Improve error handling in case of failure when retrieving API doc (#3932) (3fb0d59), closes #3932
-
Bugfix: Remove the word 'central' from the log messages (#3929) (1ce5918), closes #3929
-
Bugfix: Fix services endpoint to show correct list of onboarded services (#3919) (3d20320), closes #3919
-
Bugfix: Auto conversion during z/OSMF static definition creation (#3930) (1106cb9), closes #3930
-
Bugfix: Improve untrusted certificate message when certificate is not forwarded (#3927) (25ae2ed), closes #3321
-
Bugfix: Correct apiBasePath & server URL for primary and additional Gateways (#3922) (aa50350), closes #3922
-
Bugfix: Enable infinispan debug logs messages with caching service in debug mode (#3925) (6c6306a), closes #3905
-
Bugfix: Specify content type when validating OIDC (#3902) (ae65470), closes #3902
-
Bugfix: Fix handling unavailable services (#3879) (d285a33), closes #3879
-
Bugfix: Semantic of onboarded Gateways in the multitenancy deployment (#3884) (a94029b), closes #3884
-
Bugfix: Upgrade spring boot with HTTP headers workaround (#3882) (8054063), closes #3882
-
Bugfix: Handle exceptions that could arise in the passticket authentication schema (#3871) (defe1dc), closes #3871
-
Bugfix: Use default JDK DNS resolver (#3877) (bf1f2ed), closes #3877
-
Bugfix: Trailing quotes in z/OSMF static definition not having matching initial ones (#3875) (adefa8a), closes #3875
-
Bugfix: Restore handling mode of x-forwarded-prefix as it is used in v2 (#3874) (a18df27), closes #3874
-
Bugfix: Do not fail when headers cannot be modified (#3845) (084eb6d), closes #3845
-
Bugfix: Fix error message in case of TLS error (#3864) (945fc9c), closes #3864
-
Bugfix: Update Gateway schema with OIDC config parameters (#3867) (19ece5e), closes #3867
-
Bugfix: Respect SSL strictness in enabler (#3813) (bc55168), closes #3813
-
Bugfix: Configure SSL context for webclient (#3811) (476c69b), closes #3811
-
Bugfix: Change refill strategy for API rate limiting (#3949) (32793d87), closes #3949
-
Bugfix: Fix LogBack configuration (#3962) (56edec3), closes #3962
-
Bugfix: Fix order of Gateway filter to avoid random malfunction of routing (#3966) (4751f53), closes #3966
Breaking changes in API ML
| Change in Zowe V3 | Required action |
|---|---|
| Authentication endpoints no longer support the route /api/v1/gateway. Only /gateway/api/v1 is now supported. | If you use the endpoints directly, change the URLs to start with /gateway/api/v1. If you use ZAAS client to integrate with API Mediation Layer, no action is required as the change is handled in the ZAAS client code. |
| Spring Enabler has been updated to Spring Boot 3 and Spring 6. Spring Boot 2 and Spring 5 versions are no longer be supported | Upgrade extending services based on the Spring Enabler to Spring Boot 3 and Spring 6. |
| Datasets API has been archived | This service was disabled by default in Version 2. If you enable the service via components.data-sets.enabled: true and use the APIs documented in Data sets Swagger, it is necessary to move to the usage of the similar z/OSMF endpoints. |
| Jobs API will be archived | The service was disabled by default in Version 2. If you enable the service via components.jobs.enabled: true and use the APIs documented in Jobs Swagger, it is necessary to move to the usage of the similar z/OSMF endpoints. |
| Metrics service has been archived | The service was in Technical Preview. Currently there is no replacement. In V3, the Open Telemetry standard will be implemented, which will serve as a replacement. |
| IMS API has been archived | The service was not fully supported. If you were using the API, please reach out to the IBM team for follow-up steps. |
| Java 17 is required to run the API Mediation Layer | For V3, it is necessary to update z/OS to version 2.5 or later as this brings support of Java 17. It is necessary to install Java 17 and provide the path to Java 17 to Zowe Java configuration. |
| z/OSMF in version V2R5 with APAR PH12143 applied | If you are running a version of z/OS before 3.1, validate that the PH12143 APAR was applied to the z/OSMF installation used by Zowe. The Zowe YAML parameter components.gateway.apiml.security.auth.zosmf.jwtAutoconfiguration for the gateway component has changed. The value auto is no longer allowed. Choose either the default jwt or ltpa depending on if your z/OSMF is set up for JWT use as recommended. See example-zowe.yaml for new component values. |
| Configuration of keyrings now requires transformation from safkeyring://// to safkeyring:// | If your Zowe configuration contains safkeyring:////, change this part to safkeyring://. |
| Support access to z/OSMF only through /ibmzosmf route. V3 will not support access through the /zosmf route | If you use z/OSMF via {apimlUrl}/zosmf/{zosmfEndpoint} you need to move to {apimlUrl}/ibmzosmf/{zosmfEndpoint}. |
| Error code change for nonexistent services | Nonexistent service returns 404 with error code ZWEAO404E |
| Service ids with underscore in service id won't be routed | Replace underscor with another character like - or remove it altogether from the service id |
New features and enhancements in API ML
The current API Gateway contains the Authentication and Authorization Service. This service will be separated as a standalone service. The Authentication and Authorization Service is the only API ML service that directly requires z/OS.
Changelog
-
Feature: Use networking standard config (improved) (#3765) (aef67a3), closes #3765
-
Feature: GraphiQL Playground (#3660) (9e23fba), closes #3660
-
Feature: Websocket connection configuration (#3700) (eb98b13), closes #3700
-
Feature: Disable routing to Discovery and ZAAS from Gateway (#3688) (1139243), closes #3294
-
Feature: Add deterministic routing and sticky session load balancing (#3658) (0f62119), closes #3658
-
Feature: Create ZAAS service, use Cloud Gateway as Gateway (#3568) (4953604), closes #3568 #3567 #3571 #3572
-
Feature: Catalog version in footer for Login, Dasboard and Detail pages (#3554) (fd75d1b), closes #3554
-
Feature: Cloud Gateway support of AT-TLS (#3545) (e9c9da6), closes #3545
-
Feature: Add OIDC login flow schema and enable allowedUsers customization in zowe.yaml (#3533) (43a7c57), closes #3533
-
Feature: OIDC authentication flow (#3510) (0275eff), closes #3510
-
Bugfix: Fix Discovery Eureka response if the service is not registred to allow to reconnect by Enabler (#3795) (9f58010), closes #3795
-
Bugfix: Move security configuration back to gateway section (#3775) (2513ff1), closes #3775
-
Bugfix: Gateway ends with internal server error if cookies are invalid (#3767) (eeaee5c), closes #3767
-
Bugfix: Do not resolve hostname when not required (#3751) (39e75b1), closes #3751
-
Bugfix: ClosableHttpClient.execute() resource leak on API catalog (#3722) (a330907), closes #3722
-
Bugfix: The API ML prefix for registry configuration (#3746) (f972d0c), closes #3746
-
Bugfix: ZAAS reads configuration from Gateway as default, possible to override with local configuration (#3744) (fc7ae4e), closes #3744
-
Bugfix: Remove "AUTO" from JWT configuration and clean up outdated APARs from mock service (#3717) (a81abe8), closes #3717
-
Bugfix: Update default javax.net.ssl log levels (#3716) (f46561c), closes #3716
-
Bugfix: Use Zowe provided java location if available (#3714) (fb2863c), closes #3714
-
Bugfix: Stacktrace on unreachable swagger and remove handling for deprecated method (#3699) (3606dd6), closes #3699
-
Bugfix: Protect health endpoint with authentication as default (#3676) (806de5c), closes #3676
-
Bugfix: Pretty path URL in Gateway Swagger documentation in the API catalog (#3679) (a88ace6), closes #3679
-
Bugfix: Fix Swagger API documentation for Gateway (#3678) (abbd08f), closes #3678
-
Bugfix: Support customized code snippets in case of endpoint with query params (#3666) (7c5c067), closes #3666
-
Bugfix: Tweak gateway status page to have consistent casing (#3560) (7d55cd9), closes #3560
-
Bugfix: Independent scanning and loading of extension's classes (#3548) (8d2d3bb), closes #3548
-
Bugfix: Fix SSL Context switching (#3531) (e7575f6), closes #3531
-
Bugfix: Updating of SSL configuration in the Tomcat (#3403) (ba86c0e), closes #3403
-
Bugfix: Using
ibmzosmfas service ID (#3302) (305dea3), closes #3302 -
Bugfix: Update z/OSMF service ID (#3296) (037391a), closes #3296
-
Bugfix: Update serviceId in the Gateway starting script (#3255) (4acb107), closes #2889
-
Bugfix: Fix truststore for websockets in Spring Cloud Gateway (#3248) (96c4cc8), closes #3248
-
Bugfix: Fixing static definition of z/OSMF in discovery package (#3251) (4c3ccb2), closes #2889
To show changelog of older versions follow on one these links: