What's new in this release

IBM Security Verify Access provides new features and extended functions for Version 10.0.2.

Verify Access Platform

  • Proxy Protocol Support

    The Web reverse proxy now supports the ‘proxy protocol’ for the receipt of connection information from a proxy which sits in front of the Web reverse proxy. See Proxy Protocol Support.

  • Client IP Rules

    The Web reverse proxy now provides the ability to define rules to permit or deny connections based on the client IP address. See Client IP Rules.

  • Reverse Proxy Persistent Sessions

    A change has been made to the format of the tokens which are used for persistent sessions which means that tokens which have been created by an earlier version of Verify Access will no longer work. Users will be prompted to re-authenticate if an older token is provided to the Reverse Proxy. For more information on persistent sessions, see Persistent Sessions.

  • LMI Message Timeout

    A new administrator setting has been added to allow a timeout to be set for LMI notification messages. The default timeout is set as 5 seconds. Setting a value of 0 removes the timeout and messages will remain until manually closed. To update this entry, see Configuring administrator settings.

  • License Auditing for Containerized Deployments

    The IBM License Metric Tool (ILMT) container now supports IBM Security Verify Access. By using the ILMT container, administrators are able to automate license usage and auditing for deployments which use Kubernetes infrastructure and are based on a processor based licensing model. To deploy the ILMT container with Verify Access, see License usage with IBM Security Verify Access deployed on Kubernetes.

  • nCipher Harderserver and watchdog log forwarding

    Remote Syslog forwarding capabilities has been added for the nCipher watchdog and hardserverlog files. These log files can now be collected by a remote logging server where they can be centrally managed. To set up a remote syslog server for IBM Security Verify Access, see Forwarding logs to a remote syslog server.

  • Junctioned Servers Priority

    It is now possible, when configuring a junctioned server in the Web Reverse Proxy, to specify a priority value for the server. See Adding multiple back-end servers to the same junction.

  • Adding HTTP Headers to requests

    It is now possible to generate a HTTP header, from a credential attribute, which is inserted into requests sent to any junction. See Adding a HTTP header for all junctions.

  • Container Enhancements

    To help improve the start-up time of Docker containers the verification of files on the file system is now controlled by the VERIFY_FILES environment variable. See Docker Image for Security Verify Access.

    A new container image has been created which embeds the AAC and Federation runtime. See Docker Image for Verify Access Runtime.

    A new container image has been created which provides the Web Reverse Proxy capabilities. See Docker Image for Verify Access Web Reverse Proxy.
    Note: The capability of running the verify-access image as anything other than a configuration container is being deprecated and will not be available in verify-access images released after 2021. The new runtime, Web reverse proxy and DSC images should be used instead.

    The management of Web Reverse Proxy instances, including junction management and object space management, from the configuration container is now more efficient and performant.

    Support for a Kubernetes start-up probe has been added to the embedded health check script. See Kubernetes support.

    A new container image has been created which provides the Distributed Session Cache capabilities. See Docker image for Verify Access Distributed Session Cache.

  • Reverse Proxy Auditing

    It is now possible to configure the Web reverse proxy to send audit records in JSON format. See audit-json.

  • Reverse Proxy JWT Support
    A configuration option is now available which controls, when the Web Reverse proxy generates a JWT to be sent to a junctioned application:
    • The lifetime of the generated JWT. See lifetime.
    • The format of the HTTP header which is added to the request. See hdr-format.
  • Junction Cookie

    The junction cookie can now be returned to clients as a standard HTTP cookie. See Inserting the junction cookie as a standard HTTP cookie.

  • Enable Junction Protocols

    It is now possible to enable and disable SSL/TLS protocols on a per junction basis. See [junction:<jct-id>] stanza

  • Web Reverse Proxy Tracing

    The snoop tracing for the Web Reverse proxy can now be activated on a per junction basis. See junction-specific-snoop.

  • Management Authentication

    When a remote LDAP user registry is configured for management authentication the DN of a client certificate can now be mapped to a new format using a Javascript function. See Configuring management authentication.

  • Web Reverse Proxy TFIM Junction Configuration

    It is now possible to set global configuration entries for TFIM SSO style junctions. See Single sign-on Security Token Service.

  • Access Logging for Administrator Interface

    Support has been added to log administrator requests to the Local Management Interface (LMI). The output format of this log can be customized using an administrator setting. See Configuring administrator settings.

  • Reverse Proxy OAuth Introspection

    You can now configure additional HTTP headers which will be sent to the OAuth introspection endpoint. See http-header.

  • Runtime FIPS file integrity check

    A new command has been added to the FIPS Command Line Interface (CLI) menu on FIPS enabled appliances. This command scans the appliance file system and validates that the firmware has not been modified. To learn more about FIPS Compliance, see FIPS 140-2.

  • New Management Authorization Roles

    Two new management authorization roles have been added: Full Read which permits read access to all Local Management Interface (LMI) URLs and Full Write which permits write access to all LMI URLs. Unlike existing authorization roles, Full Read and Full Write do not use a feature list and do not need to be updated when an appliance is upgraded. See Managing roles of users and groups.

  • Statistics Monitoring

    The memory, storage, CPU and interface monitoring statistics can now be returned for shorter ranges. See Monitoring.

  • Amazon CloudWatch Support

    The virtual appliance now supports the unified CloudWatch agent which can be used to report on metrics from the virtual appliance in a Amazon Web Services (AWS) environment. See Configuring Amazon CloudWatch support.

  • AAC Configuration Wizards

    The AAC configuration wizards, which are used to configure the Web reverse proxy as a point of contact, have been modified so that the automatic retrieval of the server certificate from the runtime profile is now optional. This allows the configuration to successfully complete even when the AAC runtime server is not available. This impacts the MMFA Configuration, OAuth and OpenID Connect Provider Configuration, Authentication and Context Based Access Configuration, and IBM Verify Gateway Configuration wizards.

  • Web Reverse Proxy Certificate Validation

    It is now possible to perform CN and Subject Alternative Name validation on certificates which are provided by Junctioned servers. See Matching the common name (CN) and subject alternative name (SAN).

  • Reverse Proxy HTTP Header Sessions

    It is now possible to restrict the creation of HTTP Header indexed sessions to include only those HTTP headers which have been used in the authentication process. See require-auth-session-http-hdrs.

  • Remote Syslog Forwarding

    It is now possible to forward messages to a remote syslog server using the syslog format defined in RFC5424. See Forwarding logs to a remote syslog server.

  • RSA SecurID configuration

    In the RSA SecurID configuration the ability to provide a sdopts.rec file has been added. This allows the specification of the IP address that the SecurID authentication method should use. See Managing RSA SecurID configuration.

  • Deprecated Reverse Proxy SSO functionality

    For new installations of IBM Security Verify Access the legacy cross-domain single-sign-on (CDSSO) and e-community single-sign-on (eCSSO) authentication mechanisms have been deprecated. In these environments a more modern federated single-sign-on protocol should be used. These authentication mechanisms will however continue to work in an environment which has been upgraded from an older version of Verify Access.

    The query contents capability of the Web Reverse Proxy has been deprecated. This legacy capability allowed the Web Reverse Proxy to send a Web request to a junctioned server to determine the composition of the policy object space for the junction. This has no impact on the ability to attached ACLs and POPs to any location under a junction.

Advanced Access Control (AAC)

  • Managing LDAP password attributes

    Support is now added for updating LDAP User Registry attributes when you are performing password authentication using AAC AuthSvc. Administrators can now update LDAP attributes which record the number of failed password attempts and the last successful login time. This capability is available from either the Username/Password authentication mechanism, or using the UserLookupHelper in an InfoMap authentication rule. See Configuring username and password authentication.

  • Apple Push Notification Service Updates

    The Apple Push Notification Provider has been updated to use the new HTTP/2 Apple Push Notification serviceAPI. The previous implementation was based on the Binary Provider API, which has been decommissioned by Apple and is no longer available. Migration of configuration data relating to Apple Push Notification Service will be done automatically on upgrade. See Push notification registration.

  • New Request Context Attributes and Macros

    Multiple new request context attributes have been added for use in AAC Mapping Rules. See Authentication policy parameters and credentials. The Target URL is also now available as a default macro, @TARGET@.

  • AuthSvcClient helper for InfoMap policy execution

    A new helper has been added which allows administrators to complete other authentication service policies within an InfoMap step without having to use HTTP requests to the authentication service. For more details and a simple example, see Execute authentication service policies in an Info Map

  • Sample geo-location database

    The appliance firmware no longer embeds a sample geo-location database. A free database which can be used is available from the MaxMind site (https://www.maxmind.com). See Updating location attributes.

  • Local FIDO2 Client Custom Challenge

    The LocalFIDOClient helper has been updated to allow a custom challenge to be specified in both the assertion and attestation options requests. See Local FIDO Client.

  • Redis Support

    Support has been added for storing Authentication Service user sessions in Redis via the Distributed Map (DMap) when cookie-less is enabled. See Configuring the authentication and access module for cookieless operation and Server connection properties.

    The HVDB value for authsvc.stateMgmt.store has been removed. The HVDB can still be used as the cookie-less store, configured instead via the new DMap implementation, which supports HVDB as a store.

    FIDO2 short-lived data is stored in the DMap and will be impacted by the new DMap store configuration. See Advanced configuration properties.

  • RSA One-Time Password has been deprecated

    The RSA SecurID Authentication agent used by the RSA One-Time Password mechanism has been deprecated and is no longer supported. See RSA SecurID Authentication API.

    Instead use the RSA SecurID mechanism which utilizes the REST-based Authentication API. See Configuring an RSA one-time password mechanism. To enable the Authentication API on the Authentication Manager, see How to set up the REST RSA SecurID Authentication API for Authentication Manager 8.2 SP1.

  • New Local FIDO Client configuration ID discovery function

    The LocalFIDOClient helper has been updated to include a new function that can be used to exchange a rpId for the Relying Party configuration ID. See Local FIDO Client.

  • IBM Security Verify Gateway Integration

    An InfoMap based integration with IBM Security Verify Gateway has been added. Two Verify Gateway wizards have been created in the LMI to ensure all the required configuration is performed, located under the Reverse Proxy Manage menu, and a new AAC menu item IBM Security Verify Gateway. See IBM Security Verify Gateway.


  • Support for JSON Web Token (JWT) PS signing algorithm

    The IBM Security Verify Access Federation component now supports the PS signing algorithm. See JWT Support.

  • OAuth2 Token Exchange

    Token Exchange can now be enabled as OAuth2 grant type on IBM Security Verify Access. See OAuth 2.0 and OIDC workflows.

  • Redis Support

    IBM Security Verify Access now supports storing HTTP sessions and Protocol specific sessions into Redis. See Server connection properties.

  • Federation Connection Templates

    The appliance firmware no longer embeds a copy of the Federation connector templates. The template package is available for download from IBM Security App exchange. See Managing federation partner templates.

  • Support for regular expression based signature validation

    SAML 2.0 service provider partners now supports regular expression based signature validation for assertion during Single Sign On flows. See SAML 2.0 Service Provider Partner Worksheet.

  • Session Persistence

    Support has been added to the Local Management Interface (LMI) to allow the Advanced Access Control and Federation session persistence stores and consumers to be configured through their own UI page. See Managing Session Persistence.