What's new in this release

IBM® Security Verify Access provides new features and extended functions for Version 10.0.0.

Verify Access Platform

  • Authorization REST API

    The Web Reverse Proxy now embeds an application that provides a REST API that can be used to evaluate authorization decisions. See Authorization REST API.

  • Credential Viewer

    The Web Reverse Proxy now embeds an application which can be used to return the credential information for the authenticated session. See Credential Viewer Application.

  • Cross Origin Resource Sharing (CORS)

    The Web Reverse Proxy can now handle CORS processing. This includes processing regular cross-origin requests and handling pre-flight requests on behalf of backend applications. See [cors-policy:<policy-name>] stanza and Cross-Origin Resource Sharing (CORS) Support.

  • Cross-Origin Resource Sharing (CORS) policies can now be managed as part of API Access Control. Global policies can be created and attached individually to any existing or new API Access Control resources. See Cross-Origin Resource Sharing (CORS) policies.
  • Default TCP Tuning Parameters

    Certain TCP tuning parameters are now set by default in the appliance, as per the recommendations in https://www-01.ibm.com/support/docview.wss?uid=swg21960611

  • Web Reverse Proxy TLS 1.1 support

    By default TLS 1.1 browser support is disabled within the Web Reverse proxy. The disable-tls-v11 configuration entry should be changed to "no" to re-enable the TLS 1.1 support. See disable-tls-v11

  • Command Line Interface

    The command line interface has been updated so that you can now call curl to help test remote Web server connectivity. This new command is available from the ‘tools’ menu.

  • Configuration UI Updates

    The Local Management Interface (LMI) is modernized and now makes use of the Carbon Design System.

  • WebSEAL OAuth EAS

    The WebSEAL OAuth EAS can now be configured to add attributes from the user credential into the request which is sent to the WS-Trust service of the Federation runtime. See credential-attributes.

  • JWT Support

    The Web Reverse Proxy can now natively generate signed JSON Web Tokens that can be included in HTTP requests which are forwarded to junctioned servers. See JSON Web Tokens in HTTP Headers.

    The API Access Control resource server web services and UI can now be used to configure JWT generation for the selected resource server. See Create a new resource server.

  • Web Reverse Proxy Content Insertion

    The Web Reverse Proxy can now be configured to insert content into responses based on partial line matches. See [snippet-filter:<uri>:partial-line-match].

  • Docker Image

    A new environment variable, ‘USE_CONTAINER_LOG_DIR’, can be set in the docker container to specify that a container specific log directory will be used.

    The ADMIN_PWD environment variable is now only used to seed the administrator password in the environment. The password can still be changed using the management UI.

    For more information on these environment variables, see Docker Image for Security Verify Access.

  • Remote Syslog Forwarding

    In addition to the messages and trace logs, the Advanced Access Control and Federation runtime log files can now be forwarded to a remote syslog server.

  • Web Reverse Proxy TLS Ciphers

    The default accepted TLS ciphers within the Web Reverse proxy have been strengthened. See [ssl-qop-mgmt-default] stanza.

  • WebSEAL Cookie Attributes

    WebSEAL can now be configured to add static cookie attributes to HTTP response cookies just before they are returned to clients. See [cookies-attributes] stanza.

  • Solid DB Support

    Support for the Solid DB database as a database to store runtime and configuration data is now dropped.

  • Password Quality

    Password quality requirements are now enforced for the administrator password and LMI system accounts. See Configuring password quality.

  • Helm Charts

    The helm charts for Verify Access have been relocated to a new GitHub repository. See Helm Charts.

  • PAM Support

    The Web Application Firewall capability will reach end of service on 31st December, 2022. After this date, no further updates will be made available. Customers can continue to use the capability on an as-is basis, and support will be available for general information and existing functionality only. There will be no defect support available. See Documentation updates for known limitation.

Advanced Access Control

  • FIDO2 Auditing Manager

    The auditing of FIDO2 registration and authentication ceremonies is now supported.

  • Registration Helper for Javascript Mapping Rules

    Administrators can now retrieve the enrollment status and enrollment data of a user’s registered 2FA mechanisms from within a Javascript Mapping Rule.

  • Advanced HTTP Client

    There is a new version of the HTTP Client that is available to be used in mapping rules. The JavaDoc for the new client is available on the appliance from: System > Secure Settings > File Downloads > access_control folder > doc folder > ISAM-Javadoc.zip. The fullname for the new client is com.ibm.security.access.httpclient.HttpClientV2. For details of the new configuration values, see Advanced Configuration Properties.

  • Local FIDO2 Client

    There is a new Java class exposed in InfoMap. The com.tivoli.am.fim.fido.LocalFIDOClient class exposes the FIDO2 API in java. This means that administrators no longer have to rely on HTTP callouts to implement customized FIDO2 flows. See FIDO Client Manager.

  • FIDO2 Relying Party WebAuthn Specification Enforcement

    A configuration option is now added to the FIDO2 Relying Party creation and modification interfaces. This new configuration option allows an administrator to enable or disable the enforcement of the WebAuthn Specification.The WebAuthn Specification enforces user presence as a requirement during attestation and assertion. See FIDO2 Configuration.

  • FIDO2 Extension support

    IBM Security Verify Access adds support for FIDO2 extensions during registration and authentication ceremonies. See the FIDO mediator demo that is available on the appliance from: Manage System Settings > Secure Settings > File Downloads > access_control folder > examples > mapping_rules directory for examples of consuming FIDO extensions during attestations and assertions.

  • FIDO2 Registrations Admin API Filtering

    FIDO Registrations page now supports for searching registrations by a selected attribute with limiting search results to a specified number.

  • Branching Authentication Policies

    Authentication policies now contain support for decisions and branches that enable more complex scenarios than simple workflows with serial steps. See Branching Authentication Policies

Federation

  • Support for x5t and x5c in JWKS endpoint and jwt headers

    JWKS endpoint now displays x5t#S256 and x5c values of JsonWebKeys.

    Helper class now allows the generation of certificate thumbprint (x5t, x5t#S256), chain. This is useful for users who want to add the x5t value in the jwt header.

  • Support for X.509 STS Module

    The IBM Security Verify Access Federation Component now supports X.509 for the STS Module.

  • Improvements to reduce SAML 2.0 Session Footprint

    Improvements are made to reduce the data stored after the completion of a SAML 2.0 single sign on flow.

  • Advanced HTTP Client

    There is a new version of the HTTP Client that is available to be used in mapping rules. The JavaDoc for the new client is available on the appliance from: System > Secure Settings > File Downloads > access_control folder > doc folder > ISAM-Javadoc.zip. The fullname for the new client is com.ibm.security.access.httpclient.HttpClientV2. For details of the new configuration values, see Advanced Configuration Properties.

  • Native LDAP lookup helper

    The IBM Security Verify Access Federation Component introduces a native LDAP Utility that can be used in the STS JS mapping rule to access the LDAP server.

  • Legacy OIDC is deprecated
    Attention: In IBM Security Verify Access v10.0.0, legacy OIDC is deprecated.
    For new installations of IBM Security Verify Access v10.0.0, the option to configure legacy OIDC Federation no longer exists. For upgrade installations to IBM Security Verify Access v10.0.0, legacy OIDC runtime flows will fail with an error message, Legacy OIDC has been deprecated. Existing legacy OIDC configurations are not be accessible after the upgrade.
    Note: Optionally, to clean up the existing legacy OIDC configurations before upgrading to IBM Security Verify Access v10.0.0, see https://www.ibm.com/support/pages/node/1168012
  • FAPI/OIDC Compliance Wizards

    IBM Security Verify Access now supports OpenID OP and Financial API Compliant OIDC protocol. See Setting up the OIDC Definition API.

  • Using Distributed Session Cache (DSC) to store SAML 2.0 sessions

    IBM Security Verify Access v10.0.0 now supports the storing of SAML2.0 session in the Distributed Session Cache (DSC). This can be achieved by using the advanced configuration parameter, saml20.sessionStore. See Advanced configuration properties.