Layer7 API Gateway 11.2

CA API Gateway

0 more products

36551

28 November 2025

28 November 2025

November 28th, 2025

 

To:         Layer7 API Gateway Customers

From:     The Broadcom Layer7 API Security Product Team

Subject:  Release Announcement for Layer7 API Gateway 11.2

 

The Layer7 product group of Broadcom's IMS division is pleased to announce that the Layer7 API Gateway 11.2 is now available.

Congratulations to the team for reaching this important milestone and for continuing to deliver value to our customers.

Here are the highlights of this release:

  • New Web Policy Manager

This new web Policy Manager provides a new modern user experience for managing Gateway configuration. It will eventually include all essential capabilities needed to replace the legacy Policy Manager as well as many enhancements and new capabilities. In this release, users can:

    • Optionally enable the new web Policy Manager for use
    • Access the gateway as an administrator user with a configurable session timeout
    • Manage services, policies and entities in multiple tabs
    • Publish a web API manually or using a Swagger or OpenAPI specification
    • Manage service and policy properties
    • Author policy using all out-of-the-box policy assertions
    • Copy and paste policy
    • View and copy references to output context variables
    • Fully manage cluster-wide properties and stored passwords
    • List and create private keys
    • Export and import Graphman bundles with or without dependencies
    • Specify mapping actions when exporting and importing
    • Analyze dependencies when exporting and importing
    • Switch between light and dark modes
  • Distroless Container Gateway

The container gateway has moved to a distroless base image to further enhance its security posture.

  • Post Quantum Crypto Key Exchange

Support has been added for the X25519MLKEM768 post quantum crypto ready algorithm for inbound HTTP, HTTP/2 and Websocket traffic to protect against harvest now and decrypt later threats. 

  • Mounted Secrets Formatting Enhancement

Support has been added and an example has been provided for handling mounted secrets that are formatted differently by different source systems, beginning with AWS Secrets Manager.

  • Enhanced In-place Gateway Upgrade

The Gateway’s in-place upgrade process has been enhanced with additional readiness checks, and a “one-click” upgrade script that can perform all necessary upgrade steps, including the database upgrade step and across gateway restarts, either interactively or automatically.

  • Upgrades

This major release includes many component upgrades to increase Gateway security, reliability and utility. The most significant upgrades include the following:

    • JDK 21 Upgrade
    • Tomcat 10.1 Upgrade
    • Apache HTTP Client 5.4 Upgrade
    • Spring 6 Upgrade
    • Jetty 12 Upgrade
    • Debian 13 Upgrade
    • MySQL 8.4 Upgrade
    • HSM Client Upgrades (validated; customer provided)
  • Progressive Delivery Features Advanced from Preview to GA

Based on the positive experiences of many early adopters and broad interest expressed by other customers, we have decided to advance the following Progressive Delivery features from Preview to GA. Beginning with this release, all customers can use these features with full Broadcom support.

    • Open Telemetry
    • GemFire as a Distributed State Provider
    • Redis as a Distributed State Provider including:
      • Redis Standalone
      • Redis Sentinel
      • Redis Enterprise (with or without active-active)
      • AWS Elasticache for Redis
      • AWS Elasticache for Valkey
    • Enhanced or New Assertions Using GemFire, Redis or Hazelcast including:
      • Apply Distributed Rate Limit Assertion
      • Throughput Quota Assertion
      • Key Value Storage Assertion
      • Circuit Breaker Assertion
    • Policy as Code
    • Arm64 Container Gateway
    • Environment Variable Support
    • GraphQL Schema Validation Assertion
    • GraphQL Extract Value Assertion
    • Require and Introspect OAuth Token Assertion
    • Listen Port and Route via HTTPS Assertion Update on Key Renewal
    • WebSockets (via shared port)

Compatibility Considerations

While it’s always recommended to consider the Layer7 Product Compatibility Matrix before upgrading any Layer7 product version, due to significant changes in this Gateway release, it is critical if you are using other Layer7 products with your gateways (including the Portal, OTK, MAG and/or PAPIM). Unique considerations for this release can be found here.

Removed Features

  • Evaluate JSON Path Expression Assertion V1 Removal Notice

Version 2 of the Evaluate JSON Path Expression was released with Gateway 9.3 in 2017. Subsequently, we announced the deprecation of the Version 1 assertion with Gateway 10.1 CR4 and Gateway 11.0 CR1 in 2023. For reliability and security reasons, the Version 1 assertion is removed from this release. Customers should update their policies to the Version 2 assertion before planning to upgrade to Gateway 11.2 or later.

  • Radius & Radius+LDAP Authentication for Admin SSH

These less secure methods of authenticating administrative access to gateways via SSH were deprecated in 11.1.1 and are removed from this release. Users are recommended to use the more secure LDAP method of authentication. Local authentication is another option.

  • Hardware Appliance Gateway

The hardware appliance Gateway was deprecated in Gateway 11.1. Starting with Gateway 11.2, hardware appliance Gateway customers will need to move to another supported Gateway form factor (including the virtual appliance Gateways, software Gateways or container Gateways).

Deprecated Features

The following features are being deprecated, but not removed, in Gateway 11.2. A deprecated feature means we may choose to remove the feature in a later Gateway release. If you are using these features and have concerns, please reach out to the Layer7 product team.

  • Legacy Policy Manager

The legacy thick client Policy Manager application is being deprecated in favor of the new web Policy Manager introduced in this release. The new Policy Manager will replace the legacy Policy Manager when it includes all essential capabilities. The goal is for this to happen by the next major Gateway release, possibly making Gateway 11.2 the last major release to support the legacy Policy Manager.

  • Embedded Hazelcast

Known issues with embedded Hazelcast have limited its use. Embedded GemFire, included since Gateway 11.1.3, is a better alternative to embedded Hazelcast. The goal is to remove embedded Hazelcast in the next major Gateway release.

  • ISO-8859-1 Encoding of the HTTP Authorization Header

The industry is moving towards UTF-8 encoding of the HTTP Authorization header. Later versions of the HTTP client used by the Gateway have removed ISO-8559-1 encoding altogether. Customers should move to UTF-8 encoding as soon as possible.

  • Outbound NTLM

NTLM has been deprecated in the current version of the Apache HTTP Client used by the Gateway for security and other reasons. It is recommended that customers move away from outbound NTLM to other more modern and secure forms of authentication.

  • Create XACML Request Assertion

This assertion has no known users and a high maintenance burden. It is also possible to create XACML requests using other policy language. As such, it will not be implemented in the new Policy Manager, and will be removed with the removal of legacy Policy Manager.

  • Encode JWT Assertion & Decode JWT Assertion

These assertions are only available with a Mobile API Gateway license, they have never been documented (until recently for the new Policy Manager), and they have long been replaced by the more generally available Encode JSON Web Token Assertion and Decode JSON Web Token Assertion. Users should move to these assertions.


For a complete list of enhancements and changes, please see the release notes and product documentation for more information.

You can download your copy of Layer7 API Gateway 11.2 from Broadcom Support Online https://support.broadcom.com/

If you have any questions or require assistance please contact Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form: https://ca-broadcom.wolkenservicedesk.com/web-form?_ga=2.205828371.1432263889.1590607313-713014253.1588711301 .  You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country. 

Should you need any assistance, our Broadcom Services experts can help.  For more information on Broadcom Services and how you can leverage our experience, please visit https://www.broadcom.com/support/ca/services-support/ca-services.

Your success is very important to us, and we look forward to continuing our successful partnership with you.

To review Broadcom Support lifecycle policies, please review the Broadcom Support Policy and Terms located at: https://support.broadcom.com/.  

Thank you again for your business.