We added a bunch of important improvements to Mashery Traffic Manager recently that really rounds off our support for a very important industry standard CORS. Hope you find them useful !

• If Allow requests from any domain is set to No on the Dashboard then:
  • The API administrator can specify a comma separated "List of domains allowed". The requests made from domains that are not in the list are denied.
  • To allow for more flexibility, API administrator can also select if "Sub-domain matching allowed" is Yes.  By default, exact domain matching process is followed. 
    • In case of an exact domain match, for e.g. if http://abc.com, is specified in the “List of domains allowed”, only requests for http://abc.com are allowed.
    • In case of a sub-domain match, for example, if http://abc.com is specified in the “List of domains allowed” on the Dashboard, requests coming from http://abc.com, http://xyz.abc.com and http://xxx.abc.com are accepted as valid and allowed through
    • Note that in either of the above cases, http://abc.com, https://abc.com, and http://abc.com:8080 are not considered identical and are never matched
• CORS specification does not allow any custom header to be processed by the browser client application except if the server explicitly white-lists those headers via Access-Control-Expose-Headers. With the "List of headers to expose" field, API administrator can white-list the headers  that Traffic Manager will add to Access-Control-Expose-Header in the response.
• API administrator can specify a comma separated "List of headers allowed". These are used to validate against values in Access-Control-Request_Header and determine if the request can be allowed through or not. If allowed, corresponding headers are added to Access-Control-Allow-Header back in the response. If this field is left empty, any incoming header is allowed – this is to maintain backward compatibility
• API administrator can specify whether cookies are allowed for the CORS requests or not. By default, cookies are not allowed. If cookies are allowed, Access-Control-Allow-Credentials is set to true on the preflight response and CORS response.
• To facilitate debugging scenarios for CORS request and response, any selected Mashery specific debug headers are white-listed via Access-Control-Expose-Headers so that the client application can process the response appropriately. Specifically if Include X-Mashery-Responder Header in Response, and Include X-Mashery-Message-ID Header in Response are selected on the end-point settings in the dashboard, these will be added to Access-Control-Expose-Headers list
• Even in the case of error responses, CORS specific headers are added in the response. This allows the client application to read and process the right error message   
• Even if pre-flight request fails, it is returned with a 200 code but with the right error message  This will ensure that the client application can process and display the appropriate error message on the browser which facilitates better debugging.

A security advisory was released on 09/24/2014 related to a vulnerability, now informally being referred to as Shellshock, that exists in GNU Bash.  For more information about this vulnerability, please refer to CVE-2014-6271 and CVE-2014-7169.  An incident response is in effect and immediate actions have been taken by TIBCO Mashery to address this vulnerability.  We will update you with more information as it becomes available.  Please contact support@mashery.com with questions or concerns.

Mashery understands the impact and is working towards building and deploying the patch for Mashery Local 2.2 customers by end of next week. Also Mashery Local is less vulnerable as it sits behind the firewall.

Mashery addressed the SSLv3 vulnerability aka Poodle in our environment within few hours of learning about it on the afternoon of October 14th 2014. After carefully reviewing the likelihood and impact of this vulnerability, we determined the risk to be High, especially as “Poodle” became a widely known vulnerability that could potentially expose our customers’ data. We decided to disable SSLv3 immediately with an option to rollback on a customer case-by-case basis.

Prior to disabling SSLv3, we informed our customers about our decision and made that change (i.e., disabling SSLv3) during our weekly maintenance window (11 PST 11/14/14) on the same day. We also recommended our customers to use TLS 1.0 or above as per the industry best practice. Follow up communications were sent to our customers to keep them abreast on the status of the change.

We did not come across any significant interruptions due to disabling SSLv3 in our own, or our customers’, operations. We made every effort to address customer issues as early as possible. Only a very small number of customers reported issues caused by the necessary change.

As always, customers’ information security has always been one of our top priorities and we will continue to do our part to safeguard customer data.

Please contact customer support at support@mashery.com, TIBCO Mashery Support Portal, or call our toll free number: 888-667-1588. You can also follow our updates on our Twitter stream, @MasheryOps.

For more information about this vulnerability, please refer to http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html.

The user experience for the TIBCO Mashery API Control Center has changed a bit with last night's release (2/17/2015). After getting feedback on how navigation was working and with an eye towards other future enhancements, the location of the "New" buttons, on "List" pages, has been changed, and replaced by an icon, as well as an update to the "View" pages for API Definitions, Endpoints, Packages and Plans. Examples of the changes can be seen below.

Updated "List" Page with "New" button location

Screen shot of new "View" page with updated actions locations and icons.

TIBCO Mashery is pleased to announce the availability of a new reporting feature, Executive Summary, for those customers currently using the new API Control Center. The Executive Summary is a 1-stop shop for API Metrics designed for sharing with executive leadership and for broadcasting widely to a general audience. The visually intuitive report delivers a high-level view across your API Program and includes new metrics and analytics to drive new business strategies and initiatives. The Executive Summary takes advantage of the latest data visualization techniques to deliver a "showcase-ready" dashboard with specially crafted data-driven narratives across three perspectives, Management metrics, Technical metrics, and Developer/Partner metrics.

A sample screenshot of the Executive Summary in action can be seen below.

To understand more about how this feature works and how your API program might benefit from this feature, please contact your TIBCO Mashery CPSM or Support for information.

We are thrilled to announce, with today's release, that TIBCO Mashery has provided its customers the capability to have their administration users login into the TIBCO Mashery administrative web applications with their enterprise credentials using SAML Single Sign On (SSO). For API providers, sometimes having admins create separate and independent user accounts in the TIBCO Mashery system is counterintuitive to their centralized ID Management and security policies. And it generally is not very efficient for users either: admins have to remember different user credentials from their current corporate ones. SAML SSO for the administration dashboards is part of TIBCO Mashery’s broader vision to allow us and our customers to:

• Scale and optimize their organizations daily API management with quick and efficient user approval and provisioning. As a part of Single sign on process, provisioning over SAML allows our customers to create on-demand accounts. We have now simplified scenarios where users need to be dynamically provisioned, by combining the provisioning and single sign-on processes into a single message.
• Increase security by allowing authentication against customer’s ID management system. With this feature, we simply check users' corporate credentials using their employer’s directory, instead of our own directory and eliminate the need for separate Mashery credentials.
• Increase user adoption: users only need to memorize a single password to access both their enterprise’s site and Mashery. Users are more likely to use TIBCO Mashery on a regular basis.
• Reduce support costs and inefficiency. Now, customers don’t have to wait for Mashery Admins to approve accounts individually and/or remove users after they have left an organization.

Screenshot of Admin SAML SSO Enabled for API Program Login

To understand more about how this feature works and how your API program might benefit from this feature, please contact your TIBCO Mashery CPSM or Support for information.

Mashery is pleased to announce the availability of new Reporting API methods that allow access to the data behind the Executive Summary report in the API Control Center. The Executive Summary is a 1-stop shop for API Metrics designed for sharing with executive leadership and for broadcasting widely to a general audience. The visually intuitive report delivers a high-level view across your API Program and includes new metrics and analytics to drive new business strategies and initiatives. The Executive Summary takes advantage of the latest data visualization techniques to deliver a "showcase-ready" dashboard with specially crafted data-driven narratives across three perspectives, Management metrics, Technical metrics, and Developer/Partner metrics. Now, with this release, customers can access this data and pull into their own visualizations; for example, why not create a custom dashboard that is thrown up on a nice big TV in your office, displaying some of the important metrics surfaced by the Executive Summary feature?

Screenshot of Executive Summary

Screenshot of API Methods in IO Docs

Check out the new methods in the V2 IO Docs!

As your API program grows rapidly, so does your need to manage large numbers of users and keys. This led us here at TIBCO Mashery to create a new and improved User Management experience for our API Control Center. The new user management screens will enable you to create, maintain and manage users, applications, package keys and roles with greater ease. The new user interface provides a much better visual experience, new search and filter controls and a more intuitive way of navigating our control center.

The new user interface is Generally Available and can be enabled for customer usage. If you are using API control Center and are interested in switching to this new  interface please contact Support(support@mashery.com).

One of the challenges associated with APIs is having more and more folks be able to use them, without the often requisite sophisticated programming knowledge and experience. Interactive documentation tools, like IO Docs and Swagger UI, have been great ways for helping developers learn about APIs. But what about having people - non programmers - use APIs to accomplish day to day tasks? Imagine that! How to best get them productive all the while not having to spin up big application development projects?

TIBCO Simplr™ is a great way to get API-driven useful capabilities into the hands of business managers. TIBCO Simplr links your cloud apps and automates tasks so you can get your job done faster and more accurately. Whether you’re planning a sales trip, reporting on marketing campaigns, surveying employees, or just trying to improve your productivity, Simplr can help you and everyone in your organization.

How does this all fit into TIBCO Mashery? Well, we're pleased to announce the availabilty of the TIBCO Mashery Connector for TIBCO Simplr. TIBCO Mashery customers can now leverage a very simple tool to do things like pull developer data out of Mashery, previously only accomplished using the Mashery API. Now you can do things like pull out developer data and put into a Marketo app or a Google spreadsheet or drive a SurveyMonkey product feedback process. All without programming!

Sample screen shots can be seen below. A quick demonstration of the feature can be found here and here.

NOTE: The use of the TIBCO Mashery Connector for TIBCO Simplr requires a Mashery V3 API Key. Please visit here to get one.

TIBCO Simplr is free right now in Beta. Sign up to access Mashery connector templates, or build your own!

Flow Overview Page

Setting Up A Flow

We are excited to announce the general availability of the TIBCO Mashery V3 API. The V3 API provides a REST interface for managing the various assets in our system. The API can be used to manage User specific data, such as Members, Applications, Roles and Keys, and API related data, such as APIs, Endpoints,Methods, Packages and Plans, as well as access reporting performance data. You can use these API calls to automate the creation and management of these assets or to integrate with third party applications or create custom scripts and applications. The APIs are OAUTH2 protected and you can generate tokens by providing key and secret. Currently we have over 120 customers using these APIs, with use cases ranging from reporting data export to exporting developer data to drive email campaigns to managing the lifecycle of their APIs.

For more information on how to use the APIs or to sign up for keys please login to support.mashery.com. Documentation for the API can be found here and the IO Docs are located here.

We are pleased to announce the release of a new feature within the Mashery Reporting API that will provide access to Queries per Second (QPS) details for Area, Developer key, and Endpoint objects in 30 minute summaries. This new functionality should be particularly helpful to customers seeking to manage capacity, visualize traffic spikes for any of the three objects, or generally understand traffic patterns in a new and interesting way.

In addition to pure max QPS information per 30 minute slice, the response will contain information covering data transferred and connections, which represents call concurrency. 

The new methods are called:

• CallsQPSForArea
• CallsQPSForDeveloper
• CallsQPSForEndpoint

These new methods are now available within the existing Reporting V2 and V3 API plans, and further details regarding their use can be found within our IODOCS and in our long hand docs.

At the end of August, all customers currently using the TIBCO Mashery API Control Center will be moved over to the new Developer Management User Experience. You can read more about that new experience here. At that time, there will be a change to the name of a feature, previously referred to as Roles or Custom Roles, which will be re-named Portal Access Groups. This feature gives you, the customer, the ability to define arbitrary role names that can be applied against content, APIs and API Plans in order to ensure that people with said roles only have access to these objects in the developer portal. You can learn more about that feature by exploring the product documentation here. We're re-naming to Portal Access Groups in order to reflect exactly what they are: a grouping of developers for the purpose of exposing different assets - content, APIs and API Plans - to them while visiting the portal.

Coincident with this change will be a new and improved user experience for managing Portal Access Groups. You can see this in action in this short demo video here. Some screenshots are displayed below.

NOTE: if you are currently using the Event Trigger Feature (blogged about here), you should be aware that there has been a slight change to the payload sent across from Mashery to your respective target endpoint. "object_type" is no longer provided; you must inspect the URI path to determine the type of object being passed to your code. If you have any questions, please contact support.

If you are a Mashery API user - if not, sign-up here! - then you might not be aware of the fact that we're passing back, in the response header, information about your usage of the API, which can help you add in more resilency to your custom API programs, e.g. if you are about to hit a QPS limit, then perhaps you want to add in a slight delay to a next call. This information can be very useful for developers building custom applications using the Mashery API.

The headers returned are:

• X-Packagekey-Qps-Allotted: The maximum QPS (queries per second) capacity set on your API key. This is the maximum number of calls that can be made in any given second.
• X-Packagekey-Qps-Current: The current count of calls being applied against the above limit; in this case, it is a representation of how many calls your key is making at that particular second in time.
• X-Packagekey-Quota-Allotted: The maximum number of calls that can be made on daily basis. 
• X-Packagekey-Quota-Current: The current count of calls made in the current limit period, i.e. the current day.
• X-Plan-Quota-Reset: The time when the quota count will reset to 0.

Example response headers are below:

X-Packagekey-Qps-Allotted: 25
X-Packagekey-Qps-Current: 1
X-Packagekey-Quota-Allotted: 2000000
X-Packagekey-Quota-Current: 105094
X-Plan-Quota-Reset: Saturday, July 30, 2016 12:00:00 AM GMT

We are super excited here at TIBCO Mashery to announce the release of our new feature: Distributed API Management. The feature adds group-aware role based access control to the Mashery product. Distributed API Management will allow users to create multiple organizations within the Control Center. Different assets such as Users, APIs and Packages can be assigned to an organization and managed independently of each other. Depending on which organization a user belongs to and what permission he or she has, they will be able to perform certain operations and view certain assets. Currently we have the roles of Admin, API Manager, Community Manager and a Reports User within an organization that can be assigned to a Control Center User.

We have also provided a new way of grouping developer users and controlling the access settings for these users. There is a new group called Portal Access Group that can be created for each organization. Users with access to Portal, typically developer users can now be added to the Portal Access Group. Plans and IO Docs can be added to the Portal Access Group. Users in a given Portal Access Group will get access to the Plans and IO Docs in that group when they log into the Portal.

Please contact customer support if you need the feature to be turned on for your area or want to learn more. Below are a few screen shots that go into a bit more detail on how the feature is designed and how it can be used. You can also view a recorded demo here.

Mashery Local 3.1.1 is generally available for customer download on edelivery.tibco.com. The release includes greater access to networking system level commands for the Mashery Local administrator plus includes critical bug fixes. 

We are pleased to let you know about some exciting changes coming to your Control Center experience. We have introduced a new header and incorporated a few changes based on customer feedback. For the new header "Mashery Control Center" has been replaced with "TIBCO Mashery".

The area name is displayed on the right and clicking the area name would give additional information, such as the Area UUID. This is a quick and easy way to find the UUID of a given area. Next to the area name is an icon(?) that you can click to get area information, get access to the latest Control Center documentation or get information on how to contact support.

As always we are trying to make the product better and we have bigger changes coming to the Control Center especially with regards to the look and feel. Stay tuned for more product updates. 

A while back, we announced the availability of the TIBCO Mashery Connector for TIBCO Simplr (blog post here). And we haven't stopped there! Over the past month, we've been working hard to make it easier to use as well as open up more data that can be pulled out of the Mashery V3 API. The enhancements are as follows:

A preview of the new actions can be seen below. Visit the original blog post to learn more about the feature in general. And visit simplr.tibco.com to sign-up today.

We have more exciting UI changes coming to the Control Center. Soon you will have a more visually appealing white background for the API Control Center instead of the traditional dark one. We hope this will provide a much better visual experience for you. We are making this change for several reasons:

• The color scheme matches with the rest of the products offered by TIBCO cloud services and provides a more unified UI experience.
• Feedback from a majority of customers indicated a preference towards a “lighter” application.
• It sets the stage for further enhancements to the product, including leveraging API oriented capabilities found in TIBCO Cloud Integration (http://cloud.tibco.com).

The next release of Mashery Local - v4.0 was made Generally Available a few weeks back.  With this release we have included several features - some geared towards improvements in security oriented features and some towards improving dev ops flexibility around deploying Mashery Local. The new features are as below:

1) Mashery Local is now also available for deployment in Docker-based environments ( in addition to the virtual appliance form-factor). This allows administrators to easily deploy Mashery Local in either internal data-centers or external cloud platforms that support Docker based deployment choices. 

2) Mashery Local now includes full support for HTTPS server and client support. Features are included that allow administrators to configure trust and identity stores, set up HTTPS client profiles and facilitate two-way SSL if needed to the API back-end. Additionally, communication between an enterprise's load balancer and Mashery Local cluster can now be encrypted over SSL ( via a user-controlled configuration option)

3) Mashery Local now includes a secure way to manage developer secrets - a new option is now avaiable "Secure Hash Authentication" while configuring API endpoints. When this option is selected, secrets will no longer be stored anywhere either on-cloud or on-premise. Instead only a one-way hash of the secrets get stored which render them effectively useless in the event they get compromised

To download this release and get access to the detailed documentation, you can visit http://edelivery.tibco.com as usual or contact Technical Support for assistance