Documentation updates for known limitations

You can view the known software limitations, problems, and workarounds on the IBM® Security Verify Access Support site.

The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items that are found after product release. As limitations and problems are discovered and resolved, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience.

Also, check the Troubleshooting topics.

Known limitations for Security Verify Access

A system error is displayed briefly when the Mozilla Firefox browser is refreshed.

When you use the Mozilla Firefox browser to access the local management interface, sometimes a system error is displayed briefly during a browser refresh.

This error is displayed because the browser refresh causes an XMLHttpRequest (XHR) request to be canceled before the request finishes. The error does not indicate impact to normal operations and can be ignored.

Unable to remove local users or groups from authorization roles with Mozilla Firefox on Mac OS X.

When you use the local management interface through a Mozilla Firefox browser version on a Mac OS X system, you might not be able to remove a user or group from an authorization role.

On the Management Authorization page of the local management interface, when you click Edit, the Edit Local Members window is displayed. To remove a user or group, normally you uncheck the check box for that user or group and then click OK to save the changes. However, if you use Firefox on Mac OS X to complete such operation, the browser does not properly recognize the change and does not display any error messages. The user or group list remains unchanged after you click OK.

To avoid such issue on Mac OS X, you have two options:

  • Use a different browser to access the local management interface.
  • Use the REST API. See the REST API documentation and browse to Manage: System Settings > System Settings > Management Authorization > Updating an authorization role.
Lower throughput observed with certificate revocation list enabled
Enabling certificate revocation list (CRL) validation might result in a lower throughput from the system. If your certificate does not have a CRL, you might want to disable CRL checking by using the advanced configuration parameter kess.crlEnabled. Alternatively, you might want to reduce the frequency of CRL checking by using the advanced configuration parameter kess.crlInterval.
Client certificate authentication for federated directories is not supported for UsernameTokenSTSModule
When you configure a federated directory, do not select a client certificate.
In rare circumstances, an OAuth access token validation might fail.
These instances have been observed very shortly after a restart of the Advanced Access Control runtime server. The symptoms and conditions include:
  1. Restart the Advanced Access Control runtime server.
  2. Execute an OAuth flow, such as the Resource Owner Password Credential flow, to obtain a valid access and refresh token pair.
  3. Attempt to use the access token to access a resource that is protected by the API Definition associated with the OAuth client that has been granted the access token.

Step 3 has been observed to fail on some rare occasions. The cause is due to delayed restart initialization of some internal Advanced Access Control runtime components. Normal successful processing has been observed when the request for the protected resource in step 3 is resubmitted.

Junction type for Security Verify Access Oracle PeopleSoft PeopleTools integration

When you access the PeopleSoft Workcenter Dashboard via WebSEAL using a standard junction type, the dashboard is not displayed correctly. The browser issues a message "Only secure content is displayed" with a button "Show all content". When this button is clicked, an Oracle authentication login panel is displayed.

Note that the full URI of the server is used instead of just the junction name. Because the content contains an absolute address that WebSEAL cannot filter when a standard junction type is used, for example:


<DIV id="ptasjs1"> http://hostaddress/cs/path/cache
/PT_PORTAL_UTIL_JS_MIN_1.js</DIV>

In this case, a virtual host junction type must be adopted to negate the limitations associated with the use of standard junction script filtering.

Tooltips display issue
Tooltips might not display if you use the keyboard (for example, the Tab key) to navigate to a field. Tooltips are displayed properly when you use a mouse to navigate to the field.
Creating PIP resource when the server connection for database and LDAP is not available returns the wrong response.
For example, when you use the following command:

curl -k -b whatigot -s -S --ciphers "DES-CBC3-SHA" -X "POST" -H "Accept:application/json" -H "Content-Type: application/json" --data-binary "{\"name\":\"tldap1234\",\"description\":\"\"\"attributes\":[{\"name\":\"trusteer.pinpoint.csid\",\"selector\":\"wrongtestLdap\"}]\"type\":\"LDAP\",\"predefined\":false,\"properties\":[{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"objectclass=abc\",\"key\":\"searchBaseDN\"},{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"cn=*\",\"key\":\"searchFilter\"},{\"datatype\":\"String\",\"readOnly\":false,\"sensitive\":false,\"value\":\"0cdebb0c-49d9-4179-a47a-52f759a4ff57\",\"key\":\"dataSource\"}]}" --user admin:admin -D whatigot "https://{appliance_host}/iam/access/v8/pips/"

The expected response is as follows:

HTTP/1.1 400 Bad Request

But the actual response is as follows:

HTTP/1.1 201 Created
The error message "illegal character" when you modify an SSO rule is always displayed in English.
The error message "illegal character" is always displayed in English no matter which locale your browser uses.
Audit events cannot be sent to the remote syslog server if certain information is not provided.
If you choose to send the audit events to a remote machine, you must specify the correct details on the Audit Configuration page for host, port, protocol, and certificates. Otherwise, the audit events cannot be sent to the remote machine.
Attribute sources that are being used by a federation or partner is deletable.
Users can accidentally delete attribute sources that are in use by a federation or partner. Such operation causes errors to the federation. You must ensure that an attribute source is not in use before you delete it.
Federation Module: The email address name ID format requires a mapping rule
If you use an email address name ID format in a SAML 2.0 federation, you must set the type of STS Universal User attribute, whose name is "name", to: 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

You can accomplish this by using a mapping rule. Following is an example:

// Get the current principal name.
var principalName = stsuu.getPrincipalName();
// Set the type of principal name attribute "name" to
//"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
stsuu.addPrincipalAttribute(new Attribute("name", 
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", principalName));
Personal certificates are not included in the list of selections when you choose certificates to use for encryption or signature validation with the SAML 2.0 partner management GUI
If you use the local management interface to choose certificates to be used for encryption or signature validation, only signer certificates are available for selection. Personal certificates are not included in the list of selections. A work-around is to use the REST API for such operations.
Federation module: The RSA-OAEP key encryption algorithm is not supported with HSM keys
IBM Security Verify Access does not support decryption of SAML 2.0 messages using the RSA Optional Asymmetric Encryption Padding (RSA-OAEP) key transport algorithm with Hardware Security Module (HSM) keys. The RSA-OAEP algorithm is supported with software (non-HSM) keys. For more information on RSA-OAEP, see http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p.
The upgrade from Security Access Manager 8.0, 8.0.0.1, and 8.0.0.2 does not correctly migrate the authentication module policies for Security Verify Access for Mobile.

The work-around is to create the default set of authentication policies with the local management interface or REST API.

The following link creates a customized query of the live Support knowledge base for items specific to IBM® Security Verify Access, Version 10.0, and its fix packs.

IBM Security Access Manager technical documents

You can also create your own search query on the IBM Support Portal. For example:

  1. Go to the IBM Support Portal:http://www.ibm.com/support/entry/portal/support
  2. In the Search field, enter: Verify Access.
Identity Provider and Service Provider is not recommended to be configured as partners on the same appliance or on the same external HVDB
Identity Provider and Service Provider is not recommended to be configured as partners on the same appliance or on the same external HVDB. This might lead to several features not functioning correctly. The following problems (but not limited to) might be encountered:
  • HTTP Artifact binding SAML single sign flows does not work due to key conflict in storing the messages in runtime database.
  • The STS chain mapping created internally for Identity Provider and Service Provider will have identical ‘issuer’ and ‘applies to’ which can lead to unexpected behavior during runtime flow.
  • Leads to database contention as the DMAP entries could be inserted or modified simultaneously by Identity provider and Service provider.

It is recommended that the Identity Provider and Service Provider that are partners reside in separate appliances configured with separate external HVDB.

Synchronization of WebSEAL data is unable to handle deleted junctions
The current WebSEAL sync functionality is designed to pick up new entries or junctions and modifications to existing entries or junctions. However, it is currently unable to detect a deleted junction or entry. This limitation applies to both configuration entries and junctions.
Local management interface (LMI) session timeouts
LMI sessions expire after the duration of time that is specified by the Session Timeout field on the Administrator Settings page. When a session timeout occurs, you are automatically logged out and any unsaved data on the current page is lost.

Save your configuration updates in the LMI regularly to avoid data loss in the event of a session timeout.

PAM Support
The Web Application Firewall capability will reach end of service on 31st December, 2022. After this date, no further updates will be made available. Customers can continue to use the capability on an as-is basis, and support will be available for general information and existing functionality only. There will be no defect support available.