What's new in this release
IBM Security Verify Access provides new features and extended functions for Version 10.0.4.
Verify Access Platform
- WebSEAL quiescing of Web requests on shutdown
It is now possible to configure WebSEAL to wait, on shutdown, for outstanding Web requests to be processed. See max-shutdown-quiesce-wait-time.
- WebSEAL SSL Session Warnings
WebSEAL can now be configured to display a warning message when the SSL session renegotiation rate between clients and WebSEAL reaches a specified threshold. See ssl-reneg-warning-rate.
- WebSEAL Cookie Flushing
It is now possible to configure WebSEAL to flush specific cookies in the browser when an initial request is made from the browser. This provides a mechanism to clear stale cookies which might be present in the browser. See flush-cookie.
- WebSEAL failover cookie support
The WebSEAL failover cookie can now also be used for failover authentication when the session has been established using the native WebSEAL OIDC RP authentication mechanism. See Failover cookie.
- WebSEAL Template Files
A new WebSEAL template macro has been created which allows a WebSEAL translated message to be inserted into a WebSEAL error or management page. The out-of-the-box WebSEAL error and management pages have also been converted to use these message macro’s, replacing the previous translated pages. See Macro resources for customizing response pages.
A new configuration item has been added to the WebSEAL configuration file, ‘enabled-html-languages’, which allows an administrator to enable and disable specific languages, used by WebSEAL when generating error or management responses. See Disable Specific Languages.
- WebSEAL Statsd support
WebSEAL currently supports the transmission of statistical information to a statsd server. It is now possible to specify a prefix for the name of the metrics which are sent to the statsd server. See Sending statistics to Statsd.
- WebSEAL management of the P3P header
It is now possible to disable the insertion of a P3P header into a WebSEAL response. See enable-p3p.
- System Hostname
A specific IPv4 management address can now be elected as the Primary Address. A Primary Address is the IP address that will be associated with the system hostname in the system hosts file. See Configuring interfaces.
- CPU alertsCPU alert notifications are now only raised if the CPU threshold is exceeded for a configurable number of reporting periods (each reporting period is set to 30 seconds). By default, the CPU threshold must be exceeded for 3 reporting periods before an alert notification is raised. This number can be adjusted using the ‘
wga_notifications.cpu.usage_interval_count
advanced tuning parameter.Important: This is a critical update and might impact backward compatibility. - CLI command to manage extensions
The command line interface is now updated to allow administrators to list the installed extensions on a appliance and remove an installed extension. This allows administrators to remove an extension even if the management interface of the appliance becomes unresponsive.
-
Support for Glowroot for the management interface
The IBM Security Verify Access Extension for Glowroot is now updated to allow monitoring of the Management (LMI) server. Administrators can monitor the performance of both the Runtime and LMI application servers by using Glowroot.
- Support for IBM Instana monitoring extension
A new extension is available from IBM Security App-Exchange which uploads and install the Instana monitoring agent on Virtual Appliance deployments of IBM Security Verify Access. This agent collects hardware and application metrics and sends this information to your Instana cloud tenant. See https://www.instana.com/ to learn more about the Instana monitoring capabilities.
- Update of application server integration guides
The integration guides for Java application servers are now updated to use JWT authentication. User and group information can be supplied by WebSEAL by using a standards based format which is cryptographically verified. Integration guides are available to integrate JBoss, Wildfly, Liberty, and Tomcat application servers with IBM Security Verify Access. See IBM WebSphere Liberty SSO.
- Management AuthorizationThe REST APIs for Management Authorization now list the in-built
admin
account within the "Full Write" role.Important: This is a critical update and might impact backward compatibility.See Critical Changes for more details about this change. - Extensions now generate installation log files
The Extension endpoint has been updated to capture the log output from installation scripts. This log file can be reviewed in the Application Log Files section of an appliance in the Extensions directory.
- HTTP Transformation Rules
It is now possible to implement HTTP transformation rules in the Lua scripting language. See HTTP transformations.
- WebSEAL generated response files The default WebSEAL management template files (for example: login.html) have been updated so that embedded images, styles and scripts are now located in separate files. These files reside in a new location which supports ad-hoc template files. See Management rootImportant: This is a critical update and might impact backward compatibility.
- WebSEAL WebSocket worker threads
It is now possible to configure a different pool of WebSocket worker threads for different interfaces. See Defining extra interfaces.
- WebSEAL Certificate EAI
Subject Alternate Name (SAN) fields are now available to certificate EAI applications. See eai-data.
- Migrating the runtime environment
It is now possible to migrate the runtime environment from one appliance to another. See Exporting the runtime environment configuration.
- Appliance Boot Progress
The progress of the appliance bootstrapping is now displayed on the appliance console while the appliance is booting.
- Improved API to list all junctions for a WebSEAL instance
The list junction management API now supports a new query string parameter. If the query string parameter detailed=true is supplied with the request, then detailed junction configuration is retuned along with the existing name and type attributes. See Junctions.
- Luna SafeNet HSM support in a containerized environment
A Luna SafeNet HSM device can now be used to manage cryptographic keys in a containerized environment.
- JSON logging in the Docker configuration container
It is now possible to enable JSON based console logging in the configuration container by setting the LOGGING_CONSOLE_FORMAT and LOG_TO_CONSOLE environment variables. See Docker image for Security Verify Access.
- System alert logging
It is now possible to send system alerts to the console of the configuration container, by setting the LOG_TO_CONSOLE environment variable. See Docker image for Security Verify Access
- Amazon Web Services (AWS) MarketplaceThe IBM Security Verify Access image available from the AWS Marketplace is now available for the current generation instance types.Important: This is a critical update and might impact backward compatibility.
- Forwarding of federated runtime server audit log
The audit log file for the federated runtime server can now be forwarded to remote systems. Administrators are now able forward the messages, trace and audit logs from the AAC/Federation runtime to a centralized system. See Forwarding logs to a remote syslog server.
- WebSEAL static server response pages
HTTP Status Code 503 is used when returning the "Third-party server not responding" response page 38cf04d7.html. Previously HTTP Status code 500 was used. See Static server response pages.
- Export to IBM Application Gateway
It is now possible to export junctions and select features from web reverse proxy instances to YAML configuration documents which can be used as a starting point to configure IBM Application Gateway. See Exporting to IBM Application Gateway. See Exporting to IBM Application Gateway.
Advanced Access Control (AAC)
- Template Page Locale Configuration
It is now possible to specify and manage a list of allowed locales for AAC and Federation template files, and a default locale to use as a fallback. See SPS Page.
- FIDO2 PAIR (Platform Authenticator Inline Registration)
The example scenario previously known as How to FIDO, which prompts a user to register a FIDO2 user-verifying platform authenticator as part of the login process, has been improved and renamed. It now leverages Reverse Proxy remember-me functionality to fetch a user’s enrolled authenticators. See Scenarios.
- Support for FIDO2 Metadata Services
FIDO2 attestation validation now supports the downloading of dynamic metadata from a list of configured metadata services. See Metadata.
- XPath mapping rule utility class
A new whitelisted utility class has been added to allow a specified XPath to be evaluated on an XML document or element to retrieve a node or list of nodes. See XML Mapping Rules Method.
- SCIM Configuration Caching
Performance improvements have been made to the method that the SCIM application uses for caching configuration. Configuration changes now only require a runtime reload instead of a full restart.
- Default Junction Advanced Configuration entry
A new Advanced Configuration entry is now added to allow an administrator to specify the Junction name to be substituted for the @JUNCTION@ macro. See Advanced configuration properties.
- New Java helper methods for MMFA Transactions
The
MechanismRegistrationHelper
has been updated to include new methods to get MMFA transactions by user or transaction ID. This enables an administrator to check the status of a transaction in a JavasScript mapping rule. The Javadoc for these new methods can be found in a Verify Access appliance under . - Template Files updated to be content security policy compliant
The advanced access control template files have been modified to alleviate content security policy violations. See Template Files and Content Security Policy.
Federation
- Dynamic client registration status code updatePreviously the status code for a successful registration is 200, but the specification mandates a 201. Currently, the dynamic client registration returns a 201 status code for a successful registration to ensure compliance with specifications. See Dynamic client registration.Important: This is a critical update and might impact backward compatibility.
- Federation template files
The default Federation template files (for example: user_consent.html) is now updated so that embedded images, styles, and scripts are now located in separate files. See Template page scripting.