BoKS Web Services Interface

October 2024

Version 8.1.0.3

October 30, 2024

New Features
  • Denial of Service filter. The filter is useful for limiting exposure to abuse from request flooding, whether malicious, or as a result of a misconfigured client. See the WSI Admin Guide section "Enable Denial of Service filter" for information.
  • BoKS Keytab management. Functions for BoKS Keytab Management have been added. To use these the new keytab functions, BoKS server s-8.1.0.13 or later is required.

Updates
  • Removed dependency to java-11-openjdk The mds rpm package no longer has a dependency to java-11-openjdk. Java still needs to be installed though, but can be any distribution, as long as it is version 11 or later.
Fixes
  • If the WSI setup is aborted, subsequent runs will not prompt for certificate information. When a WSI setup is canceled, if the user runs the setup again, it completes succesfully, but the certificate information is not defined, causing the WSI service (mds) to fail. This issue can also occur with the domain and user configuration.
  • The setup has been modified to prompt for missing data if a previous setup was not completed.

November 2022

Version 8.1.0.2

November 1, 2022

Fixes
  • Fixed known issue with requesttimeout value.

  • Fixed issue with the syslog logging appender opening a UDP port even if syslog is not turned on.

  • Hidden implementation details from general error page.

  • Upgraded dependencies.

Version 8.0.0.6

November 1, 2022

Fixes
  • Fixed issue with the syslog logging appender opening a UDP port even if syslog is not turned on.

  • Hidden implementation details from general error page.

  • Upgraded dependencies.

Version 7.2.0.7

November 1, 2022

Fixes
  • Fixed issue with the syslog logging appender opening a UDP port even if syslog is not turned on.

  • Hidden implementation details from general error page.

  • Upgraded dependencies.

January 2022

Version: 8.1.0.1

January 24, 2022

  • Updated log4j dependency to version 2.17.1.

  • The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

  • The log4j.config.watch.seconds property in mds.properties is not used anymore. It is replaced by the monitorInterval parameter in the log4j2.xml file (default 30 seconds).

Version: 8.0.0.5

January 24, 2022

  • Updated log4j dependency to version 2.17.1.

  • The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

Version: 7.2.0.6

January 24, 2022

  • Updated log4j dependency to version 2.17.1.

  • The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

Version: 6.7.0.3

January 24, 2022

  • Updated log4j dependency to version 2.17.1.

  • The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

December 2021

Version 7.2.0.5

December 22, 2021

  • Updated Jetty dependency (CVE-2021-28165, CVE-2020-27223, CVE-2021-28169).

Version 6.7.0.2

December 22, 2021

  • Updated Jetty dependency (CVE-2021-28165, CVE-2020-27223, CVE-2021-28169).

Version 8.0.0.4

December 17, 2021

  • Removed unused Log4j2 dependency (CVE-2021-44228, CVE-2021-45046).

  • Updated Jetty dependency (CVE-2021-28165, CVE-2020-27223, CVE-2021-28169).

October 2021

Version: 8.1

October 4, 2021

New Features
  • A REST API version of the Web Services Interface is added in addition to the existing SOAP interface.
  • A new command called mdsinfo is added that can be run to collect troubleshooting information on the WSI server.
Enhancements
  • Introduced parallel execution of synchronous single domain requests to improve throughput of requests and enhance operational robustness. The default number of maximum parallel requests is 4.
  • Added support for retrieving client IP from "Forwarded" and "X-Forwarded-For" request headers when using WSI behind proxy or firewall.

  • Systemd is used for managing the WSI application where available. The systemctl command is used for starting and stopping the service. The /etc/init.d/mds start script has been removed.
  • A keep-alive is added so the WSI server regularly polls the BoKS admin server BCCAS. This can be configured using the KeepAliveInterval parameter in the config.yaml file. The default setting is 10 minutes.
  • The application automatically picks up changes to the log configuration without the need to restart.
  • Logging of incoming requests can be enabled in the log configuration.
  • Failed requests are now logged to mds.log and error.log.
  • Added support for TLS 1.3.
  • Default allowed TLS protocols are TLSv1.2 and TLSv1.3.

    Default allowed TLS cipher suites are TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2) and TLS_AES_256_GCM_SHA384 (TLS 1.3).

  • Added fix to set SELinux security context for installation directories, resolving issue with process not starting on Red Hat/Centos 8 with SELinux enabled.
Fixes
  • Java client code example has been updated for Java 11 and above.
  • Removed all unsafe-inline in Content-Security-Policy header.
  • The dependency in some WSI programs on /bin/ed, which is not supported in some newer OS versions, is removed.
  • Fixed an issue where you could not clear Access Rule modifiers with the modifiersClear option.
  • Added fix to set SELinux security context for installation directories, resolving issue with process not starting on Red Hat/Centos 8 with SELinux enabled.

January 2020

Version 8.0.0.3

January 15, 2021

  • CAS-0010235962: Fixed an issue where the request timeout feature (added in WSI 8.0.0.1) did not result in a new connection to the admin server. This caused requests and responses to be out of sync after a request timeout had occurred for any request.

  • Only failed requests for connection errors are logged to mds.log. WSI 8.0.0.1 introduced all failing requests to be logged to mds.log. This made it harder to find actual problems because of many log messages. Failing modifying requests are also already logged to audit.log.

Version 7.2.0.4

January 15, 2021

  • CAS-0010235659: SAN certificates in keystore file not working resulting in that WSI cannot start. This issue was introduced in WSI 7.2.0.3.

  • CAS-0010235962: Fixed an issue where the request timeout feature (added in WSI 7.2.0.2) did not result in a new connection to the admin server. This caused requests and responses to be out of sync after a request timeout had occurred for any request.

  • Only failed requests for connection errors are logged to mds.log. WSI 7.2.0.2 introduced all failing requests to be logged to mds.log. This made it harder to find actual problems because of many log messages. Failing modifying requests are also already logged to audit.log.

December 2020

Version 8.0.0.2

December 21, 2020

  • CAS-0010225587: Cannot clear access rule modifiers

  • Fix for problem where certain list attributes could not be cleared.

    The following functions/attributes have been fixed:

    • modifyUserAccessRule: programArgs, modifiers

    • modifyUserClassAccessRule: programArgs, modifiers

    • modifyAccessPolicy: programArgs

    • modifyDomainParameters: pswHashFuncAcc, pswHashUserAcc

  • Update of dependencies.

Version 7.2.0.3

December 21, 2020

  • CAS-0010225587: Cannot clear access rule modifiers

  • Fix for problem where certain list attributes could not be cleared.

    The following functions/attributes have been fixed:

    • modifyUserAccessRule: programArgs, modifiers

    • modifyUserClassAccessRule: programArgs, modifiers

    • modifyAccessPolicy: programArgs

    • modifyDomainParameters: pswHashFuncAcc, pswHashUserAcc

  • Update of dependencies.

May 2020

Version 8.0.0.1

May 6, 2020

  • Added enhanced error logging capabilities for failed requests.

  • Updates of third-party dependencies.

Version 7.2.0.2

May 6, 2020

  • Added the ability to set a configurable timeout for calls to the BoKS admin server, BCCAS. You can configure the time for the timeout. If the call fails, an error is logged. Request timeout is configured using the parameter requesttimeout in the config.yaml file and is specified in seconds. The default is 60 seconds.

  • Added enhanced error logging capabilities for failed requests.

  • Fixed an issue where an incorrect content length setting for UTF-8 characters in combination with the system locale not being set to UTF-8 could cause the WSI server to stop responding.

  • Added support for Java 11.

  • Updates of third-party dependencies.

April 2020

Version 7.1.0.2

April 9, 2020

  • Added the ability to set a configurable timeout for calls to the BoKS admin server, BCCAS. You can configure the time for the timeout. If the call fails, an error is logged. Request timeout is configured using the parameter requesttimeout in the config.yaml file and is specified in seconds. The default is 60 seconds.

  • Added enhanced error logging capabilities for failed requests.

  • Fixed an issue where an incorrect content length setting for UTF-8 characters in combination with the system locale not being set to UTF-8 could cause the WSI server to stop responding.

  • Update of third-party dependencies.

December 2019

Version 8.0
NOTE: For system requirements including supported platforms, see the BoKS Web Services Interface 8.0 Administrator's Guide.
New Features
  • Updated to support BoKS 8.0 features and functions.
Enhancements
  • Support for java version 11 and above.
  • Added an RPM installation package, in addition to tar archive.
  • Added support for parameterized install for automated installation.
  • Added support for user certificate mapping.
Other Updates
  • CAS-0010142865 - Support has been added to explicitly use the UTF-8 character set to ensure proper processing of requests with these characters. This resolves an issue whereby WSI requests containing certain UTF-8 characters caused the program to stop responding and processing further requests.
  • CAS-0010149474 - Added more detail to the documentation on setting up the admin server using bccsetup.
  • Http requests are now redirected to https instead of giving an error message.
  • The only HTTP methods now allowed are GET, HEAD and POST, due to security issues with other methods.
  • Upgrade of dependency libraries. Resolves the vulnerabilities CVE-2019-10241 and CVE-2019-10247.

September 2019

Version 7.2.0.1
  • Added the ability to map a digital certificate to a user by setting the user UUID attribute. This attribute has been added to the functions getUser, createUser and modifyUser. Note that this function also requires that you apply hotfix HFBM-0313 on the BoKS Master.

  • Jetty library has been updated to version 9.4.20. The Jetty version used in Web Service Interface 7.2 is vulnerable to two reported vulnerabilities (CVE-2019-10247 and CVE-2019-10241).

  • The HTTP OPTIONS method is disabled. It is recommended to have this method disabled for security reasons.

November 2018

Version 7.2
NOTE: For information about changes in the API and known issues, see the WSI 7.2 Administrator's Guide.
New Features
  • Updated to support BoKS 7.2 features and functions.

Other Updates
  • Security enhancements for response headers for XSS prevention and SSL Client-initiated renegotiation.
  • Removed bundled JRE - Java Runtime is no longer bundled with the WSI installation. System installed Java is used instead.
  • CAS-0010116127 - The Access Rule valid time was previously incorrectly converted with the the validFrom and validTo date fields being specified without timezone. When the rule is added to BoKS the time is now not dependent on the local timezone.
  • CAS-0010113777 - The deprecated parameter "members" for the createProgramGroup function, which has no effect, is removed from the html documentation.
  • CAS-0010120101 - Attributes with the value "null" are no longer sent to the BoKS admin server, so listing functions perform correctly.

October 2018

Version 7.1.0.1
  • Jetty library has been updated to version 9.4.12. The Jetty version used in Web Service Interface 7.1 is vulnerable to two reported vulnerabilities (CVE-2017-7658 and CVE-2017-7656).

  • Security response headers: #14480 - MDS web api vulnerability (CAS-189043-S9V0N3).

  • The following response headers have been added to the Web Service API responses for improved security:

    • Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security, Pragma, Cache-Control.

    • Forced rejecting of client initiated TLS renegotiation.

  • Embedded Java Runtime Environment is updated to version 8u181

  • Updated default enabled TLS protocols and cipher suites.
  • Default enabled protocol is:

    > TLSv1.2

    New default enabled ciphers are:

    > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • The certificate keystore jks file is created in PKCS format instead of Sun proprietary format which previously caused warnings at installation.
  • CAS-0010116127 - The Access Rule valid time was previously incorrectly converted with the the validFrom and validTo date fields being specified without timezone. When the rule is added to BoKS the time is now not dependent on the local timezone.

  • License.txt in installation package is updated.
  • NOTE: WSI 7.1.0.1 does not support Solaris x86 32 bit, which was supported for the 7.1.0 release. The reason for this is that Oracle Java does not include support for that platform.
Version 7.0.0.1
  • Jetty library has been updated to version 9.4.12. The Jetty version used in Web Service Interface 7.0 is vulnerable to two reported vulnerabilities (CVE-2017-7658 and CVE-2017-7656).

  • Security response headers: #14480 - MDS web api vulnerability (CAS-189043-S9V0N3).

  • The following response headers have been added to the Web Service API responses for improved security:

    • Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security, Pragma, Cache-Control.

    • Enabled rejecting of client initiated TLS renegotiation.

  • Embedded Java Runtime Environment is updated to version 8u181.

  • Updated default enabled TLS protocols and cipher suites.

  • Default enabled protocol is:

    > TLSv1.2

    New default enabled ciphers are:

    > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • License.txt in installation package updated.

  • NOTE: WSI 7.0.0.1 does not support Solaris x86 32 bit, which was supported for the 7.0.0 release. The reason for this is that Oracle Java does not include support for that platform.
Version 6.7.0.1
  • Jetty library has been updated to version 9.4.12. The Jetty version used in Web Service Interface 6.7 is vulnerable to two reported vulnerabilities (CVE-2017-7658 and CVE-2017-7656).

  • Security response headers: #14480 - MDS web api vulnerability (CAS-189043-S9V0N3).

  • The following response headers have been added to the Web Service API responses for improved security:

    • Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security, Pragma, Cache-Control.

    • Enabled rejecting of client initiated TLS renegotiation.

  • Embedded Java Runtime Environment is updated to version 8u181.

  • Updated default enabled TLS protocols and cipher suites.

  • Default enabled protocol is:

    > TLSv1.2

    New default enabled ciphers are:

    > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • The certificate keystore jks file is created in PKCS format instead of Sun proprietary format which previously caused warnings at installation.

  • License.txt in installation package is updated.

  • NOTE: WSI 6.7.0.1 does not support Solaris x86 32 bit, which was supported for the 6.7.0 release. The reason for this is that Oracle Java does not include support for that platform.

Back to Powertech Products