Flex Gateway新着情報
Governance新着情報
Monitoring API ManagerThe Runtime Manager > Inbound Messaging configuration user interface has been simplified by removing the option to specify the number of replicas. The number of replicas is now set to equal the number of controller nodes.
If the number of replicas is currently set to fewer than the number of controllers, the next time you click the Deploy button for Runtime Manager > Inbound Messaging, the number of replicas is automatically changed to equal of the number of controller nodes. It is not necessary to issue a kubectl scale
command.
The Inbound Traffic software for Anypoint Runtime Fabric 1.5.0 and later will be updated only after the Runtime Fabric version is upgraded. The Inbound Traffic deployment that follows the Runtime Fabric version upgrade will trigger the new version of the Inbound Traffic software to run.
Runtime Fabric versions earlier than 1.5.0 will still trigger Inbound Traffic software version updates upon deployment, independently of Runtime Fabric version upgrades.
Simplified TLS Configuration
When you configure inbound traffic for Anypoint Runtime Fabric, you can now upload a PEM or JKS file or import a TLS context from the secrets manager.
Fixed the issue that caused the Runtime Manager > Runtime Fabrics > Inbound Traffic page to erroneously display inbound traffic as disabled for users who were in a business group that inherited a Runtime Fabric instance.
If you try to change the TLS configuration on the Runtime Manager > Runtime Fabrics > Inbound Traffic page from using a PEM or JKS file to using a secrets manager, an error is returned.
Workaround
Follow these steps to make the update:
In the Runtime Manager > Runtime Fabrics > Inbound Traffic page, use the Enable inbound traffic slider to disable traffic.
After the deployment is complete, use the slider to reenable inbound traffic.
In TLS Configuration, select Import from Secrets Manager.
This release contains the following fixed issues:
Anypoint Runtime Fabric inbound load balancer now allows a maximum of 100 inbound headers and trailers in an HTTP request message by default.
The issue where streaming with a slow network caused a connection reset by peer
error is fixed.
Runtime Fabric inbound load balancer no longer character encodes URI-reserved characters (per RFC-3986). An exception is that two forward slashes (/) are converted to one forward slash (/). Previously, the double forward slashes were retained.
This change might require you to update applications that rely on the special character-to-character encoding behavior of previous releases. |
Anypoint Runtime Fabric load balancer ignores client side cipher preferences and uses server side cipher preferences, which is not based on cipher strength.
Runtime Fabric load balancer does not allow you to order preferences; it only allows opting in and out of ciphers.
The preference order for Runtime Fabric load balancer cipher connections is:
TLS 1.3
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS 1.2
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA1
ECDHE-ECDSA-AES256-SHA1
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
AES256-GCM-SHA384
AES256-SHA256
ECDHE-RSA-AES128-SHA1
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA1
ECDHE-ECDSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-SHA256
AES128-GCM-SHA256
AES128-SHA256
This release includes the following updates and deprecations.
The internal load balancer in Anypoint Runtime Fabric is now powered by OpenSSL 1.1.1 and supports TLS 1.3, which provides:
2x or greater TLS 1.2 connection performance throughput boost versus prior versions of Runtime Fabric internal load balancer running on OpenSSL 1.0.2.
Reduction of one round trip in full handshake for TLS 1.3 vs. TLS 1.2
TLS 1.3 protection against downgrade attacks
Support for the following ciphers, some of which are enabled by default when the applicable protocol is selected:
TLS 1.1
ECDHE RSA AES256 SHA1 (Default)
ECDHE ECDSA AES256 SHA1 (Default)
ECDHE RSA AES128 SHA1
ECDHE ECDSA AES128 SHA1
TLS 1.2
DHE RSA AES256 GCM SHA384
ECDHE RSA AES256 GCM SHA384 (Default)
ECDHE ECDSA AES256 GCM SHA384 (Default)
DHE RSA AES128 GCM SHA256
ECDHE RSA AES128 GCM SHA256 (Default)
ECDHE ECDSA AES128 GCM SHA256 (Default)
ECDHE ECDSA CHACHA20 POLY1305
ECDHE RSA CHACHA20 POLY1305
DHE RSA CHACHA20 POLY1305
AES256 GCM SHA384
AES128 GCM SHA256
DHE RSA AES256 SHA256
DHE RSA AES128 SHA256
ECDHE RSA AES256 SHA1
ECDHE ECDSA AES256 SHA1
ECDHE RSA AES128 SHA1
ECDHE ECDSA AES128 SHA1
AES256 SHA256
AES128 SHA256
TLS 1.3
TLS AES 256 GCM SHA384 (Default)
TLS CHACHA20 POLY1305 SHA256 (Default)
TLS AES 128 GCM SHA256 (Default)
TLS 1.2 and TLS 1.3 ChaCha20-Poly1305 ciphers provide better mobile and IoT device support. |
The following features are removed in the TLS 1.3 and OpenSSL 1.1.1 offering:
Static RSA handshake (nonperfect forward secrecy)
CBC MtE modes
RC4
SHA1, MD5
Compression
Renegotiation
DSA key support (TLS signature scheme) DSS
The following ciphers are deprecated for Runtime Fabric default ingress and CSM after the introduction of OpenSSL 1.1.1.
Deprecated DSS ciphers and support for DSS keystores:
DHE DSS AES256 GCM SHA384
DHE DSS AES128 GCM SHA256
DHE DSS AES256 SHA256
DHE DSS AES256 SHA1
DHE DSS CAMELLIA256 SHA1
DHE DSS CAMELLIA128 SHA1
DHE DSS AES128 SHA256
DHE DSS AES128 SHA1
Deprecated TLS v1.2 ciphers
AES128 SHA1
AES256 SHA1
DES CBC3 SHA1
CAMELLIA256 SHA1
CAMELLIA128 SHA1
ECDHE RSA DES CBC3 SHA1
ECDHE ECDSA DES CBC3 SHA1
DHE RSA AES256 SHA1
DHE RSA AES128 SHA1
Deprecated TLS v1.1 ciphers
ECDHE RSA DES CBC3 SHA1
DHE RSA AES128 SHA1
DHE RSA AES256 SHA1
ECDHE ECDSA DES CBC3 SHA1
AES128 SHA1
AES256 SHA1
You cannot deploy Runtime Fabric default ingress with a DSS keystore. If a deprecated cipher is included in a configuration or deployment call, the deprecated cipher is ignored (assuming there is at least one nondeprecated cipher in the request), and the following deprecation header warning is returned in the response:
|
This release contains the following fixed issue:
Issue:
Previously users could not configure longer or shorter response timeouts for API requests (default 300 seconds); and longer or shorter write acknowledgements for data (default 10 seconds) received in API requests.
Fix:
To allow configuration of longer or shorter response times, new fields (Read Request Timeout
and Write Request Timeout
) have been added to Runtime Manager inbound traffic configuration in the Advanced Options section.
This release contains the following fixed issues:
When the DNS became unavailable, the internal load balancer in Anypoint Runtime Fabric failed to route messages to Mule apps or API gateways in some circumstances (for example, when a Runtime Fabric controller node was restarted).
Updated DNS caching for entries stored in the Runtime Fabric internal load balancer or Edge gateway to not expire in the event DNS is unavailable.
Fixed an issue where the Runtime Fabric internal load balancer / Edge gateway pod would restart in certain cases when DNS was unavailable.
Fixed an issue with error message coresMax is greater than max value
that occurred when enabling inbound traffic on Runtime Fabric.
The special characters $
and {
in a URI were not accepted by the Runtime Fabric internal load balancer or Edge gateway as valid characters.
These characters are now accepted.
This release contains the following fixed issue:
The OpenSSL 1.0.2s library used for inbound traffic processing for Runtime Fabric incoming messages has a known performance issue, which degrades TLS connection throughput. [SE-12030]
Solution:
The OpenSSL library used for inbound traffic processing is reverted to OpenSSL 1.0.2p to recover performance.
This release contains the following fixed issue:
Runtime Fabric inbound traffic service did not accept spaces in the private key passphrase and failed to properly serve inbound traffic. [SE-12071]
Solution:
The Runtime Fabric inbound traffic service now accepts a passphrase containing spaces and serves inbound traffic with such keys as expected.