Layer7 API Security

 View Only

Layer7 Work in Progress Update - PI37

By Gregory Thompson posted 23 days ago

  

PI Planning for PI37 is now complete and development has kicked off. Below you will find the list of items that are included in this PI and a summary of the releases completed in the previous PI. As always, we invite you to provide feedback. We would love feedback on both the current and future PI items to help us prioritize the items that will have the most benefit for our customers.

 

Recent Releases

 

The following product versions were released during PI36:

• API Gateway 11.1 - Release Notes

• API Portal 5.2.3 - Release Notes

 

Release and EOS Calendar

 

The following image provides a timeline view of past and planned releases (future releases are prefixed with “+”). For planned releases, the timeline, release name/version, and release content are subject to change. End of Service (EOS) dates are shown in gray on the bottom half of the image.

 





Planned Releases for PI37

 

The following product versions are planned to be released during PI 37. The marquee features for each release are included. For planned releases, the timeline, release name/version, and release content are subject to change.

 

  • API Gateway 11.1.1 - Late July/early August 2024

    • [Preview] Active-active enterprise Redis support

    • [Preview] Dynamic private key management via Graphman using PEM

    • [Preview] Graphman enhancements

    • Cluster-wide property search and sort

    • Tanzu support

    • Reasonable commercial effort support for downstream RHEL derivatives for software gateway

    • Reasonable commercial effort support AWS ElastiCache for Redis

    • [Container gateway optimizations] Mounting gateway sensitive data

    • [Container gateway optimizations] Support for setting Liquibase log level

    • Support for Policy Manager silent installs on Windows

    • Support for Policy Manager on Windows 11

  • API Portal 5.3  - Late June/Early July 2024

    • Define Application in Portal along with Client Cert to support mTLS

    • Scan Swagger files for code injection

    • Enhance API Key Deployments to support a shared API Key Repository

    • [Preview] Distributed Rate Limit support for Redis

    • [Preview] Support GraphMan Bundles for Policy Templates UI Updates

    • Deploy API Tag data with APIs on Gateway

    • Template Management - Enhancements and Support for Organization Assignments

    • Portal OVA - Debian 12

    • Template ability to define fields with drop down value selection

    • Make portal deployer port configurable

  • OTK 4.6.3 - July 2024

    • OTK - Scope processing optimization for improved performance

    • OTK - Enhance OAuth Client Store API to support partial updates

    • Correct at_hash generation when using JWT tokens

    • OpenID Hybrid Conformance Updates

    • OTK - UTFMB4 Support for DB

    • Provide ability for OTK Helm charts to not require Liquibase schema downloads from the internet

    • Routine reset of OAuth Client Secret



PI37 Key Capabilities

 

The sections below provide a listing of the key capabilities being worked on across the Layer7 family of products. Note that some capabilities will span multiple PIs. 

 

API Gateway:

  • [Preview] Active-active enterprise Redis support

  • [Preview] Dynamic private key management via Graphman using PEM

  • [Preview] Graphman enhancements

  • Cluster-wide property search and sort

  • Tanzu support

  • Reasonable commercial effort support for downstream RHEL derivatives for software gateway

  • Reasonable commercial effort support AWS ElastiCache for Redis

  • [Container gateway optimizations] Mounting gateway sensitive data

  • [Container gateway optimizations] Support for setting Liquibase log level

  • [Container gateway optimizations] Adopt SBO's IronBank RHEL UBI 9 base image

  • Support for Policy Manager silent installs on Windows

  • Support for Policy Manager on Windows 11

  • FIPS 140-3 support

  • [CCE] Common Criteria evaluation for GW11.1+ and Debian 12+

  • [CCE] Upgrade CCJ or replace with BC with longer lasting FIPS certification

  • [CCE] Digital signature of L7P files and verification using PMS

  • [CCE] Integrity verification of virtual appliance on startup

  • Switch to Bouncy Castle provider to address duplicate Subject DNs issues

  • Replace EPAgent with Infrastructure Agent for PAPIM

  • Gateway versioning and upgrade changes

  • Update gateway to use SSO SDK 12.8.08 CR1

  • Graphman-client diff enhancements

  • Add Graphman-client to NPM registry

  • [Experimental] Distributed Circuit Breaker Assertion

  • [Experimental][Container gateway optimizations] Arm64 or no arch container gateway

 

OAuth Toolkit:

  • OpenID Hybrid Conformance Updates Continued

  • OTK - Scope processing optimization for improved performance - Part 2

  • Provide ability for OTK Helm charts to not require Liquibase schema downloads from the internet

  • OTK 4.6.3 Release Activities

  • Provide ability to disable session cache


API Portal:

  • Define Application in Portal along with Client Cert to support mTLS - continued

  • Enhance API Key Deployments to support a shared API Key Repository Part 2

  • Cleanup API_VIEW to address API and Key Sync Issues

  • PSSG Removal (except TPS)

  • Make portal deployer port configurable

  • Template ability to define fields with drop down value selection

  • automation of sanity testing and other hardening tests (PI-37)

  • UI Standardization on React-17 (PI-37)

  • Portal 5.3 Release Activities

  • PSSG Removal - TPS

  • Template Management -APIs Tab in Category and others

  • API Products - General Availability (Part 1)

  • Client applications managed by external OAuth providers Part 1

  • API Hub: Provide ability to hide footer

  • Role UUID removal of unused UUIDs

  • Automatic Removal of Inactive Users

 

Note that some larger capabilities may span multiple PIs and, as always, plans are subject to change based on a number of different factors.

 

Candidates for PI38 and Beyond

While the capabilities to be included in the next PI are not yet set, please see below for a list of candidates being considered. Of course, not all of these will fit and we will select a subset of these based on your feedback. We'd love to know if there is a capability in the list you are eagerly awaiting and/or plan to use. We also would love to know if there is something missing from the list that is important to you. Please comment in the comments section below with your feedback.

 

API Gateway:

  • Next generation management interface

  • HTTP and HTTP/2 over shared port

  • gRPC

  • SNI

  • [Experimental] Gateway as k8s ingress controller

  • Container gateway optimizations (smaller, faster, more secure, more cloud native)

  • HTTP Client Upgrade

  • Common Criteria evaluation for GW11.1+ and Debian 12+

  • Post Quantum Crypto (PQC) Support

  • HTTP/2 streaming

  • ICAPS Support in Gateway

 

OAuth Toolkit:

  • Layer7 Operator Support

  • FAPI 2.0 Support

  • Token Validation Improvements to Leverage Token Revocation Capabilities

  • OAuth 2.0 Rich Authorization Requests (RAR)

  • Revise the trade-off between OTK runtime and management capabilities

  • Revise Token Count Capability

 

Mobile SDK:

  • iOS 18 

  • Android 15

 

API Portal:

  • PSSG Removal

  • API Products General Availability

  • Productization - Decouple OTK from Portal

  • Layer7 Operator Support

  • API Notification Management

  • Portal Standardization on React 17 (completion of ongoing work)

  • Workflow for API Publishing

  • Custom Roles

  • API Catalog for non-managed APIs

 

0 comments
5 views

Permalink