Copyright

Copyright © 2019 Balasys IT Ltd.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balasys.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

Linux™ is a registered trademark of Linus Torvalds.

Windows™ 10 is registered trademarks of Microsoft Corporation.

The Balasys™ name and the Balasys™ logo are registered trademarks of Balasys IT Ltd.

The Proxedo™ name and the Proxedo™ logo are registered trademarks of Balasys IT Ltd.

AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.

Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

Balasys is not responsible for any third-party websites mentioned in this document. Balasys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balasys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

2024-09-09 .Copyright

The following new features, bug fixes and improvements have been completed for Release 4.11.0 Proxedo API Security.

Features

  • Service category split
    Components that deal with system-wide configuration options have been split from the Service category into a new category, System. Backends, Endpoints, and Listeners stay in the Service category.

  • License is now part of the component configuration
    The product license file required special handling, but now it is part of the component configuration.

    • A new File brick type has been introduced, called License. The format is validated upon upload. Several licenses can be stored in the configuration, so a new license can be readily swapped in when the old one expires.

    • A new System component has been introduced, called License. It can select a single License File, which will be used by the core components after the configuration change is applied.

    • A new integrity check warns in advance when the number of Backends or Endpoints would exceed the limits of the selected license.

    • The details of the current license can be viewed on the Status page.

  • Selector rework

    • The Save As field of Selectors have been renamed to Save As Key for clarity.

    • The Save As Key field now has a default value, <Selector Name>. This value means that the Selector's result will be saved under a key that equals the Selector's name.

    • Certain Selectors that can return a dictionary of values now have a new flag, Save Under Key, which is set to True by default. This is the original behaviour, which means that the resulting dictionary will be saved as a dictionary under the defined key. If this flag is turned to False, the items of the resulting dictionary will be saved individually as separate key-value pairs.

  • Insight message rework
    The Message field of Insight plugins was not present in the output of Syslog Insight Targets when the data format was set to JSON. Syslog Insight Targets now include an Include Message flag and a Message Key field, that specifies the key to use when assembling JSON output. Also, a new configuration integrity check has been introduced to handle cases where this Message Key would conflict with the Save As Key field of Selectors.

  • HTTP Method Matchers and Selectors are now case sensitive
    Previously, HTTP methods were handled as case insensitive in both Matchers and Selectors. The RFC and the industry practice differs, so PAS now supports both. Method Selectors previously returned values lowercased, now they will return values as extracted from the source. Method Matchers were case insensitive, and now they will have a flag that lets the administrator decide.

  • New Matcher for backend response time
    A new Matcher, Backend Response Time, has been introduced to match on the time it takes for the backend server to respond to the call.

  • TLS 1.3 support in LDAP authentication
    The LDAP authentication in the Configuration API now supports TLS version 1.3.

Bug Fixes

  • Insight Message default was not visible
    The default value of the Insight plugin’s Message field was the name of the plugin, but this was not visible on the Web UI. A special value, <Insight Name> was introduced, which means that the Message field by default communicates the name of the Insight plugin that produced the message.

  • The Configuration API’s OpenAPI schema was invalid
    The OpenAPI schema of the Configuration API contained validation errors, which have been corrected. Also, some validation endpoints were missing from the schema, which are now present.

  • More robust /ready/management endpoint
    The /ready/management endpoint could time out in certain situations. This has been corrected.

  • Miscellaneous fixes

    • Harmless, nfqueue-related error messages were visible in the startup logs of Transport Director, these have been silenced.

    • Validation errors on the URLs field of Endpoints were displayed incorrectly.

    • Validating a zip file as an XSD File brick could produce an HTTP 500 response.

    • Validating an invalid zip file as a CA File brick could produce an HTTP 500 response.

    • If the certificate file for the LDAP configuration was missing, the Configuration API could fail to start without a meaningful error message.

Improvements

  • Message field removed from Local Log type Insight Targets
    The Message field on Insight Targets with the Local Log type had no purpose, and has been removed.

  • The /service_status Web UI endpoint has been renamed to /status
    The /service_status endpoint on the Web UI has been renamed to /status to better communicate its purpose.

  • Certificates are generated even without Docker login
    Secrets like certificates are generated during the simplified installation process even if the login to the Docker registry fails or not available. Only a local Consul image has to be present.

  • Notification when leaving an edit page with a list field
    When attempting to navigate away from an open edit page without saving selected list items, a notification is displayed to avoid accidental data loss.

  • Error handling on the Web UI
    The Web UI is now capable to properly handle HTTP 4xx errors.

  • More thorough Flow Director component health check
    The health check of the Flow Director component now incudes the verification of the connection towards the Insight Director, which makes the Status page more accurately reflect the state of the PAS components.

  • Kubernetes 1.30 support
    PAS is now tested with Kubernetes 1.30.

  • Administrator Guide improvements
    The Administrator Guide received some improvements related to correctness and consistency.