Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Resolved Issues

Last update June 7, 2019

Issues Resolved in Version 9.3

Fixed Issue ID Description

Outbound client mutual authentication keep-alive is now enabled by default.

Previously, enabling this required a manual change to the Gateway system property com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable to 'true'; otherwise, a new connection would be created for each pass.

DE211306 Corrected an issue with RBAC role not allowing CA SSO to be registered.Userwas unable to register an SSO configuration if the permission had been granted with a scope rather than <ALL>. This has since been fixed.
DE211590 Corrected an issue where Internet Explorer was unable to handle multiple headers resulting from Ajax calls to the Gateway. This was resolved by adding a new cluster-wide property. See Process CORS Request Assertion for more information.
DE212186 Corrected an issue which prevented importing certificate when there were international characters in the "issued to" field.
DE212556 Corrected an issue where the software database keystore might become corrupted when large expiry days was entered. The Policy Manager now reminds you that "Days until expiry must not push beyond year 9999".

Corrected an issue where the logged CN from the Require SSL or TLS Transport Assertion is from the client certificate's issuer CA, and not from actual CN of the Client Certificate.


Corrected a couple of NullPointerException issues with the AdminSessionManager. 


Corrected an issue with RBAC for Manage Identity Providers role. A user with this role now has permissions and visibility into Identity Provider properties.

DE226997 Corrected an issue where not allxpathquery results were capitalized when using the upper-case function.

Corrected an issue where the extraction of SAML attributes terminated Gateway service when an attribute was empty.

DE242553 Corrected an issue where the Audit Sink Policy failed to convert Audit Record to XML when Query LDAP Assertion returned NULL.
DE247881 The Gateway is now able to process special characters (specifically £) in stored passwords.
DE254507 Corrected an issue with Accumulate Data in Memory Assertion. Previously, attempts to use the assertion to optimize shipment of audit logs off-box were not successful due to log records being corrupted. This issue has been fixed.
DE256045 If a JSON object contains a forward slash in the JSON object input, then the Gateway appends a backslash to 'escape' the forward slash in the Evaluate JSON Path Expression Assertion outputs. To prevent this issue, set the json.evalJsonPathWithCompression cluster property to 'true'.
DE256549 Corrected an issue where the Create Routing Strategy Assertion would not function within a Scheduled Task.
DE263288 Corrected an issue where Validate JSON Schema Assertion did not give results according to the JSON Schema specifications.

Corrected an issue where the user was able to access WebSocket Connection after installing the CA API Gateway Enterprise license, but was unable to create a connection.

DE267998 Corrected a caching issue with the Perform JDBC Query Assertion. The maximum age for a JDBC connection has been increased from 500 ms to 5000 ms.
DE269613 Corrected an issue with the GatewayMigrationUtility.bat failing when running on a Windows server. This occurred when there were spaces in the directory path, and has since been fixed.
DE269676 Corrected the log output order when using Include Policy Fragment Assertion. Previously, policy logs from an include policy would be displayed in a reverse order. This has since been fixed.

Corrected an issue where Enterprise Service Manager fails to migrate cluster properties greater than 8192 characters in length. The result was that the migrated property was either empty or was corrupted.

DE273507 Corrected an issue where the Validate Against Swagger Document Assertion failed to validate the HEAD method.

Corrected false positive results from the Evaluate JSON Path Assertion. It was not failing as expected when searching for non-existent keys. This defect was observed in search strings starting with '$...', and has since been fixed in the new Evaluate JSON Path Expression V2 Assertion.

DE279171 Corrected an issue where an error dialog appeared in the Customize Error Response Assertion when highlighting all text (select all) in the "Response Body" using a multi-byte keyboard.
DE287710 Corrected an issue where new inputs to existing encapsulated assertions were not propagated correctly. Previously, the new inputs were only propagated by opening and saving each instance of the encapsulated assertion in each service policy.

Corrected an issue where the invalid characters appear in the response to a service which does not have charset (UTF-8) in its content type header.


Corrected an issue which prevented you from accessing WebSocket Connection to view all connections after installing the CA API Gateway Enterprise license.

DE295988 Corrected an issue where the Decode JSON Web Token Assertion was failing inconsistently with Gateway's standard policy execution logic.
DE296015 Corrected an issue where policy migration failed due spaces in the certificate common name.
DE297378 Corrected an issue with the Route via SSH2 Assertion, where enabling "Validate Servers host key" in the assertion causes a "9434: SSH routing error".
DE301894 Corrected an issue where JWT policy migration with "Sign Payload" option enabled failed when using the Enterprise Server Manager (ESM).

Corrected a connection issue between the Gateway and OCSP (Online Certificate Status Protocol) servers, where the connection was stuck in a CLOSE_WAIT loop.

DE303707 Corrected an issue with Kerberos Smart Card login error after updating from Gateway v8.3 to v9.2. Kerberos login now works as expected.
DE308152 There was an issue with updating cluster-wide property via RESTman when the character length exceeded 131,072. This issue has been fixed and maximum length has been increased to 4,194,304 characters.

Corrected an issue where entering a shorthand version of a time unit (for example, "5m" for five minutes) for the value of inbound and outbound WebSocket Cluster Properties would render the Gateway unable to start.

DE314461 Corrected a GMU (Gateway Migration Utility) issue that caused an error when using the templatized command for dependencies (IDT1).
DE315889 Corrected the Evaluate JSON Path Assertion to fail an invalid JSON request. Previously, an invalid JSON request with additional content after the ending curly brackets "}" in the request body did not fail and returned a response. This issue does not affect the newer Evaluate JSON Path Expression V2 Assertion.
DE316003 Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
Corrected an issue where an incorrect error message was returned when validating using JSON Schema.
DE317751 Corrected the Route via JMS Assertion to allow JMS properties that begin with "JMSX" and "JMS_" to pass through when you use the "Customize JMS message properties to forward" option. If you have incorporated custom branching logic to handle these properties, you may remove this logic.

Corrected Policy Manager stability issues.


Process Controller now supports TLS v1.1 and TLS v1.2 as per the latest PCI compliance. 

More Information

Using TLS v1.0 is no longer recommended from a security standpoint. To learn how to disable TLS v.1.0, refer to this Knowledge Base article: "TEC1620697 - How to disable TLS 1.0 usage in CA API Gateway and ESM" on the CA Support site.

US272812 Corrected an issue where Gateway returned the wrong response code for the CWD command when it worked as an FTP proxy.
US332200 Corrected the Service and Policy tree in the Policy Manager to no longer collapse the root folder when a fragment is converted to an encapsulated assertion.
DE268063 Corrected an issue where application events triggered unnecessary transaction handling causing application performance issues.

Corrected an issue with GMU (Gateway Migration Utility), where routing assertions in the migrated policy continued to search for the key on the source environment.

DE306979 Corrected an issue where the syslog sink failed to reconnect to the log server automatically when the IP of log server changes.

Changed the Evaluate JSON Path Expression Assertion to log an INFO level audit rather than a WARNING audit when the JSON path is not found.

Issues Resolved in Version 9.3 CR1

The 9.3 CR1 cumulative release includes the contents of CR and addresses these issues. Note: The 9.3 CR1 release must be installed on a v9.3 Gateway.

Fixed Issue ID Description

Updated the JDK version to JDK 1.8.0 Update 162.

More Information

Java 8 Update 161 now restricts Diffie-Hellman keys that are less than 1024 bits.

If your CA API Gateway connects to any server that uses Diffie-Hellman (DH) for key exchange (as part of the SSL handshake), ensure that the server is configured to support DH key size that is greater than or equal to 1024 bits. If the server is configured for DH key size less than 1024 bits, the SSL handshake fails when the Gateway attempts to connect. To diagnose this issue:

  • Enable network trace logging on the Gateway (-Dorg.eclipse.jetty.LEVEL=DEBUG
  • In the Gateway logs, look for a SSLHandShake exception: ""

For additional information, see the "Restrict Diffie-Hellman keys less than 1024 bits" section of the JDK 8 Update Release Notes.

DE271778 Corrected an error that caused a bundle import to fail if entities referenced in the bundle do not already exist in the target Gateway.
DE288220 Corrected an issue that caused the Gateway to fail to start up when unsupported certificates are imported.
DE303135 Changing a WebSocket connection now correctly updates all Gateway nodes, not just the node to which the Policy Manager is connected.
DE306924 Corrected performance issues caused by internal libraries that were accessing the file system too frequently.
DE306944 Corrected an issue that was causing the XMPP assertions to report a failure.
DE308073 Corrected an intermittent JMS failure after migrating to the latest release.
DE322333 Corrected intermittent errors that occurred in the Retrieve Kerberos Authentication Credentials Assertion.
DE329111 Corrected an issue where HTTP redirects in the Policy Manager do not function correctly and instead returns an error.
DE331350 Corrected an issue where idle or closed connections were not being cleaned up after use.
DE333386 Corrected an issue that caused the Gateway to incorrectly report JSON structure validation errors.
DE335768 Corrected an issue where authentication was rejected by SiteMinder Server when a non-default SSO zone name is specified along with Regenerate SSO Token option.

Corrected an issue with the Gateway Dashboard that prevented audit information from being displayed for a single service. Previously, right-clicking the chart to select "Show Audit Events" when a specific service was selected resulted in no audit information. Audits were displayed only when "<All Services>"  was selected.

DE337682  Corrected an issue where the Decode JSON Web Token Assertion on failure was leading to the failure of the entire policy.
DE337688 Corrected a GMU migration issue where the IPCheck option on destination gateway is enabled automatically.

Enhanced functionality to ensure that Agent Configuration Objects' details are accessible to the Gateway policy. A new field Agent Configuration Object has been added to the CA Single Sign-On Check Protected Resource Properties. This field accepts agent configuration object name and fetches the details from CA SSO policy server to make it available at Gateway's policy level. These details can be used by Gateway policy author to construct a proper cookie.

For more information, see Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken.


Applied various security updates to third party libraries.

Issues Resolved in Version 9.3 CR2

The 9.3 CR2 cumulative release includes the contents of CR and addresses these issues. Note: The 9.3 CR2 release must be installed on a v9.3 Gateway.

If you have made customizations to the /opt/SecureSpan/JDK folder, back up this folder before installing 9.3 CR2. This cumulative release upgrades the JDK to 1.8.0_172 and reverts some customizations that were applied to /opt/SecureSpan/JDK. For example, removal of some /jre/lib/ext libraries and changes to the file.

Using a Luna HSM? If you did not back up, you must reapply "com.safenetinc.luna.provider.createExtractableKeys=true" to

Fixed Issue ID Description

Introduced a checkbox, Connection timeout, in the Raw TCP Routing Properties dialog to allow you to specify the connection timeout value for socket connection. For more information, see Route via Raw TCP Assertion.

DE319759 Corrected an issue where the process controller log was displaying an error "Couldn't get HOST.cpuTemp value (Couldn't get CPU temperature)".
DE328317 Corrected an issue where ESM migration is failing with null pointer, when there is a mismatch in the policy that is mapped from source cluster policy and destination cluster policy with different assertion at one ordinal.
DE337924 Corrected a memory issue that affected Hardware Security Modules connected to the Gateway.
DE339252 Corrected an issue where migrating the "Load Previous Mappings" button results in a "an internal error occurred".

Corrected an issue that prevented customized error response messages from being returned in a Route via MQ Native Assertion policy.

DE342088 Corrected the Query LDAP Assertion to correctly parse context variable in the base DN field.
DE342376 Corrected a security issue with the Require SSH Credentials Assertion in the Gateway. 
DE343232 Corrected an issue where the UseHTTPOnlyCookies ACO parameter does not reflect in the cookie string as HttpOnly when it is set to 'yes'. 
DE343361 Corrected an issue where authorization is failing when Idle Session Timeout value is not enabled or set to 0 in CA SSO.

Updated the Gateway so that you can prevent response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. For examples, special characters such as '{' and '}'.

To Allow Unwise Characters in Request URL

To allow characters that violate RFC 2396 in the request URL:

  1. Connect to the Gateway via SSH as the root user.

  2. Open this file for editing:


  3. Add this line to the file:

    tomcat.util.http.parser.HttpParser.requestTargetAllow = {}|<> 

    Where: '{}|<>' are the unwise characters to enable. This will enable the usage of '{', '}', '|', '<', and '>'.
    You should only enable the character(s) you need. 

  4. Save and exit the properties files, and then restart the Gateway:

    # service ssg restart

DE351400 Corrected inconsistent RESTman behavior in Gateway cluster nodes.



Added a new option "Omit Host header" to the Route via HTTP(S) Assertion. This setting allows you to omit including a host header for HTTP/1.0.
US491695 Upgraded JDK to 1.8.0_172.


Removed all 3DES_EDE_CBC ciphers from the default supported cipher list by Oracle (as of JDK 1.8.0_171) for security reasons.

If you need any of these ciphers for legacy compatibility, do the following:

  1. Open the file for editing.
  2. Modify jdk.tls.disabledAlgorithms to re-enable the ciphers by removing the "3DES_EDE_CBC" filter.

What happens next?

  • If you have any of the disabled ciphers selected in an existing listening port configuration, they remain selected. However, these ciphers will not work unless the jdk.tls.disabledAlgorithms setting is modified.
  • If you create a new listen port and do not see the deprecated ciphers, ensure jdk.tls.disabledAlgorithms setting is modified and then do the following.

How to Show All Available Ciphers in the Policy Manager

Do the following to make all deprecated ciphers visible in the Policy Manager UI:

  1. Open Policy Manager.ini for editing.
  2. Add this property: -Dcom.l7tech.console.connector.includeAllCiphers=true
  3. Save and exit, then restart the Policy Manager (if it was currently running).
  4. Open the properties for your listen port and then select the SSL/TLS Settings tab. All ciphers should be visible now.
  5. Select your deprecated cipher and save and exit.

Tip: The deprecated cipher will continue to be visible for this specific listen port even if the property in step 2 is removed.

Selecting Ciphers Elsewhere

In addition to the listen port, you can select ciphers elsewhere on the Gateway. Refer to Selecting Cipher Suites for a detailed description of other areas where you may need to also select your deprecated cipher.

DE334838 Corrected an issue where Evaluate Math Expression Assertion the gateway generates Premature End of File error while calculating the processing time.
DE336259 Added options to allow empty callback value and more supported signature methods RSA-256, RSA-512 for Generate OAuth Signature Base String Assertion.
DE342946 Corrected an issue where Swagger validation fails after upgrade to 9.3.
DE363616 Corrected an issue where Policy Manager Error window is displayed when adding Validate Against NCES Requirements assertion to service policy.

Issues Resolved in Version 9.3 CR3

The 9.3 CR3 cumulative release includes the contents of CR and addresses these issues. Note: The 9.3 CR3 release must be installed on a v9.3 Gateway.

Fixed Issue ID Description

Updated the JDK version to JDK 1.8.0_181.

Note: For more information, see JDK Release Notes in Oracle documentation.

DE288689 Enhanced the Gateway patcher so that errors are reported, with more detailed logging added to the sspc logs.
DE343053 Added a new "Skip Validation" option to the Access Resource Protected by Oracle Access Manager Assertion, to help prevent certain failures.
DE347516 Corrected the Evaluate JSON Path Expression V2 Assertion to prevent a "NullPointerException" error from occurring.
DE353852 Corrected an issue that caused slowness in signing JSON Web Tokens.
DE356626 Updated the Create JSON Web Key Assertion so that it uses the correct Base64 encoding for the "x5t" attribute.
DE360516 Corrected an issue that prevented the Gateway from starting after upgrading from version 9.2 to 9.3.
DE361031 Corrected an issue that caused excessive latency on the Gateway.
DE361214 Updated the Evaluate JSON Path Expression V2 Assertion so that is no longer appends unexpected "=" characters to the output.
DE361245 Corrected errors that occurred when version 9.3 CR1 is installed.

Introduced the following assertions so you can change a user's password and enable the user account in the CA Single Sign-On user directory:

DE362150 Updated the Validate Against Swagger Document Assertion to add the "<prefix>.path" context variable. This allows you to see the path in the Swagger document against which the request was validated.
DE362814 Resolved a handshake issue that impacted certain ciphers.
DE363154 Corrected an issue that caused a performance impact on the Gateway..
DE363569 Corrected an issue that caused slowdowns with Cassandra connections.
DE364175 Improved the output logs from the Container Gateway to match those produced by the standard Appliance Gateway.
DE364397 Corrected an issue that produced an error when switching paths in a WebSocket connection.
Added the new pkix.crl.invalidateCrlCacheOnNextUpdate cluster propertyThis property invalidates the CRL on the next update time that is embedded in the CRL. The default value of this CWP is false. Set this property to true if you do not intend to use the cached value when stale.
DE365432 Corrected the Route via SSH2 Assertion to close SCP sessions after use.
DE366357 Corrected an issue that caused the default HTTP port to be created, even though custom ports are specified in a bootstrap bundle (when auto-provisioning a migration bundle).
DE367210 Corrected an error that occurred when an OAuth callback URL exceeded 200 characters.
DE369411 Corrected an issue that caused the Container Gateway to ignore user parameters specified in the JDBC URL (through the SSG_DATABASE_JDBC_URL environment variable).
DE369448 Addressed several issues to improve the performance and stability of the Gateway.
DE372677 Corrected an issue that caused a mismatch between the number of log items displayed in the log viewer versus the actual number of items when viewing the log file directly. .
DE375497 Enhanced the SSG_DATABASE_PASSWORD environment variable to accept special characters.

Added the new json.evalJsonPathAcceptEmptyArray cluster property for Evaluate JSON Path Expression Assertion. This property preserves the backward compatibility in resulting empty arrays. By default, the value of this property is set to true. If this property value is set to false, the assertion is falsified for empty arrays.


Major enhancements to the Send Email Alert Assertion. Changes include the ability to:

  • Send emails as HTML
  • Send emails with hyperlinks and attachments
  • Control the attachment size through a cluster property

Issues Resolved in Version 9.3 CR4

The 9.3 CR4 cumulative release includes the contents of CR and addresses these issues. Note: The 9.3 CR4 release must be installed on a v9.3 Gateway.

Important! You must install 9.3 CR4 Policy Manager if you upgrade CA API Gateway to 9.3 CR4 release.

Fixed Issue ID Description
DE328610 Corrected an issue where the Protect Against Code Injection Assertion failed to protect against HTML/JavaScript code injection if the request included <svg> tag. The <svg> tag is now added in the blacklisted HTML/JavaScript tags of the assertion.
DE328893 Enhanced the Protect Against Code Injection Assertion to protect against Hex/Octal Encoded HTML/JavaScript Injection.



Corrected an issue where the Protect Against Code Injection Assertion did not protect if the form-post values contain invalid characters. 
DE346288 Corrected an issue where applying a Route via MQ Native Assertion within an encapsulated assertion, the request message is not sent and a stacktrace is logged in the audit logs.
DE356387 Corrected an issue where if a node is renamed in a cluster and then shut down for more than an hour, the name of the node changes to default when the node is started again. The default value of the system property, com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds, is now 7776000 (3 months).
DE363927 Corrected an issue that prevented the Route via HTTP(S) / Configure Message Streaming assertions from streaming a response back to the client without modification.
DE364342 Corrected an issue where XSL-Transformation might fail when a service is called with empty or invalid XML payload.
DE365919 Corrected an issue with the Virtual Appliance Gateway where firewall rules and listen ports were shown in the wrong order in iptables. Reordering rules in the Manage Firewall Rules task now behave as expected.
DE366529 Corrected an issue that caused Route via HTTP assertion to throw an exception when multiple URLs are configured in the Route via HTTP assertion and all the URLs return 404 error.



Corrected an issue that prevented Gateway from connecting to an Azure MySQL database due to the '@' special character requirement for the MySQL server admin login name (e.g., 'username@servername'). The '@' symbol is now recognized by Gateway for user names.

Corrected an MQ encoding issue that prevented Gateway from reading special characters from an MQ queue.

DE375782 Corrected an issue that caused Gateway to restart in Azure due to high memory usage.

Corrected pagination issues in the query results when using Microsoft Active Directory in the Query LDAP assertion.

Note: The LDAP Group Query in Gateway is not showing results. See Known Issues for the workaround.



Gateway now supports MySQL 5.7 TLS 1.2 communication.

DE379142 Corrected a Policy Manger connection issue when using an external identity provider.
DE380915 Corrected an issue where Java Web Start application in Policy Manager was not working as some libraries and folders were missing.


Evaluate JSON Path Expression assertion fails if JSON path evaluates to null results. We recommend Policy Authors to switch to Evaluate JSON Path Expression V2 assertion to see null results.
DE384931 The Gateway now supports the diffie-hellman-group14-sha1 as preferred algorithm for inbound/outbound SSH2 traffic.
DE386980 Corrected an issue that caused the Execute Salesforce Operation Assertion to not update fields from non-blank/null to blank/null.

Corrected an issue that caused the connector object to hold service details when changing the direction of the queue from Inbound to Outbound in MQ Native Queue Properties dialog.


Corrected an issue where if a JSON payload contains foreign characters, then Evaluate JSON Path Expression assertion and Evaluate JSON Path Expression V2 assertion converts the foreign characters to unicode.

DE389165 Corrected an issue that prevented 70 or more concurrent connections to the Gateway.

Updated the JDK version to 8u192.

Note: For more information, see JDK Release Notes in Oracle documentation.

Was this helpful?

Please log in to post comments.