Release Notes

Red Hat 3scale API Management 2.3

For Use with Red Hat 3scale API Management 2.3

Red Hat Customer Content Services


Release Notes for Red Hat 3scale API Management 2.3.

Chapter 1. Red Hat 3scale API Management 2.3 On-Premises Release Notes

1.1. New Features


This 2.3 release of Red Hat 3scale API Management only includes new features for APIcast. All the other features from the 2.2 release remain unchanged.

1.1.1. Major Changes

  • Extended the API policy coverage by adding new APIcast out-of-the-box policies:

    • URL rewriting with captures: Ability to read the arguments in a URL and rewrite the URL using them (JIRA #1139)
    • RH-SSO/Keycloak role check: Verifies realm roles and client roles in the access token (JIRA #1158)
    • Logging: Allows to disable access logs for individual services (JIRA #1148)
    • Anonymous access: Provides default credentials for unauthenticated requests (JIRA #586)
    • 3scale Batcher: Caches authorizations from the 3scale backend and also sends reports in batches for better performance (JIRA #1155)
    • 3scale Referrer: Adds support for Referrer Filtering feature
  • Improved the features and capabilities of the existing policies:

    • Added the ability to modify query parameters in the URL rewriting policy (JIRA #1139)
    • Edge limiting: A flexible and powerful policy that performs different kinds of rate limiting (JIRA #411)
    • Extended the header modification policy by allowing templating (JIRA #1140)
    • The OAuth 2.0 Token Introspection Policy has been improved by adding the following features: caching, support for logout/token revocation, get client credentials from the OpenID Connect (OIDC) Issuer Endpoint

OAuth 2.0 Token Introspection Policy is now out of Technology Preview.

  • Better OIDC capabilities for integration with 3rd party identity providers (Support JWK through OIDC Discovery)
  • Prometheus metrics (JIRA #1230)
  • Added support for communication via forward HTTP proxy (JIRA #221)
  • OpenTracing integration in APIcast to improve observability by allowing the use of Tracers (JIRA #1159)

1.1.2. Minor Changes

  • Renaming of some policies (JIRA #1232)
  • New APICAST_ACCESS_LOG_FILE environment variable that allows configuring the location of the access log (JIRA #1148)
  • Added new environment variables that allow configuring APIcast to listen on an HTTPS port and configure necessary certificates. New environment variables: APICAST_HTTPS_PORT, APICAST_HTTPS_CERTIFICATE, APICAST_HTTPS_CERTIFICATE, and APICAST_HTTPS_CERTIFICATE_KEY.

1.2. Resolved Issues

  • APIcast crashes when adding an invalid (non-existing) policy name via API.
  • Do not crash when initializing unreachable/invalid DNS resolver.
  • After migration to new OCP instance, APIcast images can not be build from the upstream repository.
  • OIDC Signature verification function not compatible with generic OIDC provider (JIRA #583).
  • Wrong error message when OIDC issuer field is configured incorrectly.
  • APIcast crashes when loading some configurations including services with OIDC authentication.

1.3. Documentation

1.4. Technology Preview Features

  • Added a new “Conditional policy” that only executes a policy chain if a certain condition is met. There is no GUI available for this policy; it must be configured via JSON.

1.5. Known Issues

  • Dashboard stream and email notifications are not filtered according to the admin member permissions (JIRA #629)
  • Servers on which 3Scale API Management is installed must use the UTC time zone for correct invoice generation in postpaid mode (JIRA #534)
  • Internal Server Error when accessing signup page with spam protection enabled (JIRA #908)
  • 500 internal error response when accessing Service settings view (JIRA #878)
  • Backend-listener fails to reconnect to backend-redis (JIRA #608)
  • Wildcard router overrides unsecured routes (Resolved in OpenShift Container Platform 3.9.33)
  • Ogone and payment gateways are not supported. Nevertheless, these options are shown in the billing settings

1.6. Deprecation Notices

  • End User Plans feature will be deprecated in March 2019. This feature is replaced by the ability to define rate limits for end users using the APIcast policy for edge limiting.
  • Native OAuth 2.0 implementation (Authorization Code flow) for API traffic authentication is deprecated in this release. In the next release, 3scale 2.4, you will find that:

    • This feature cannot be selected in the User Interface (UI).
    • This feature is replaced by the OIDC integration with Red Hat Single Sign-On, which includes support for multiple OAuth 2.0 flows (see documentation).

Legal Notice

Copyright © 2019 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.