What's new in this release

Edit online

IBM Security Verify Access provides new features and extended functions for Version 10.0.9.

Verify Access Platform

  • Support for the Partitioned HTTP cookie attribute.

    WebSEAL supports the Partitioned HTTP cookie attribute. For more information, see cookie-name-pattern.

  • Support for logging the source port in the WebSEAL request log.

    WebSEAL can include the source port from which a request was received in the request log. For more information, see Customizing the HTTP request log.

  • New ARP cache command added to CLI.

    Administrators are now able to purge entries from the ARP cache from the SSH CLI. The networking>arp>delete command can be used to remove entries from the local ARP cache. For more information, see Command-line interface.

  • Support for setting a label on imported personal SSL certificates

    Users can now specify a label for personal SSL certificates during the import process. For more information, see Managing personal certificates in a certificate database.

  • A new notification to indicate when all external network services are not accessible.

    This notification message indicates when all external network services, either Configuration Database or Runtime Databases, are not accessible. It is in addition to the existing notification for when each individual external network service is not accessible.

  • A new administrator setting for the JavaScript language version.
    An administrator setting can be set to control the JavaScript language version that is used to run server-side JavaScript functions in a Java context. This setting affects both:
    1. Management authentication with a remote LDAP user registry when a user mapping function is specified.

      For more information, see Configuring management authentication.

    2. Management authentication with federated SSO when a token mapping function is specified.

      For more information, see Configuring management authentication.

    For more information, see Configuring administrator settings.

  • Support for providing the junction name as a request header.

    WebSEAL can include the junction name as a header in requests that are sent to the junctioned application. For more information, see header-data.

  • Support for exporting Web Application Firewall (WAF) configurations to IBM Application Gateway.

    The Features tab in the Export to IBM Application Gateway wizard now includes an option to export WAF policies. The exported policies contain the reverse proxy instance-specific configuration, shared configuration, and rules.

  • ModSecurity v3.0.13

    The web application firewall now uses ModSecurity v3.0.13. For more information, see Web Application Firewall.

  • Added support for PostgreSQL version 16

    PostgreSQL server version 16 is now supported and can serve as the host for both configuration and runtime databases. For more information, see Managing cluster configuration.

  • Suppression of warning message DPWIV1212W when Common Name (CN) verification is used for mutually authenticated junctions.

    The warning message "DPWIV1212W No server DN is defined for '%s'. The junctioned server DN verification is not performed." is no longer logged for servers when CN verification is performed. This warning is only logged when no name verification is performed.

  • Audit events for certificate OCSP status

    Reverse proxy now generates audit events when clients present certificates with unknown OCSP status. For more information, see events 128 and 129 in XML output elements

Advanced Access Control (AAC)

  • HttpClientV2

    The Parameters object can now be used to pass nested data, including data arrays, or a JSON string to the various HttpClientV2 methods.

  • Advanced Configuration Cleanup and Archive Tasks

    The advanced configuration properties that relate to the various cleanup tasks can be managed by using a new LMI page. For more information, see Managing Cleanup and Archive Tasks.

  • JavaScript Language Version.
    The advanced configuration property js.version controls the JavaScript language version for all components that run server-side JavaScript functions in a Java context. These components include:
    • Mapping rules.
    • JavaScript PIPs.
    • Fingerprinting.
    • Mediators.

    For more information, see Advanced configuration properties.

  • Magic Link Authentication Policy

    A new magic link authentication policy bundle is now available for download at https://github.com/IBM-Security/verify-access-aac-authentication-policies. For more information, see Importing a bundled authentication policy.

  • Update to UserLookupHelper Java method.

    The UserLookupHelper init(. . . ) methods now return an int instead of void. This value can be used to determine whether the connection to the LDAP server was successful.

  • Scoped LDAP searched in InfoMap JavaScript authentication mechanisms.

    The search method in the AttributeUtil class now includes support for scoped LDAP searches by using Search Controls. For more information, see Verify Access Javadoc

  • New context property in InfoMap JavaScript authentication rules.

    A new property is introduced in the InfoMap JavaScript mapping rules context, allowing administrators to access the target URL that triggers the current authentication process. For more information, see Authentication policy parameters and credentials.

  • Mobile Multi-Factor Authentication Transaction Correlation

    Mobile multi-factor authentication can now display a correlation value for each transaction that a user must enter in IBM Verify before the transaction is approved. For more information, see Mobile Multi-Factor Authentication.

  • HVDB Database Timestamp

    A new column, last_updated_at is added to the HVDB tables. This column can be used with database-specific triggers to add a timestamp to all entries in the tables. By default, the column remains unused and empty. Adding the triggers to an external database and any subsequent usage of this column is at the discretion of the database administrator.

  • Firebase Push Notification Providers

    With the shutdown of the Google FCM HTTP API, any Firebase push notification providers must update their configuration to ensure continued functionality. Instead of using a server API key for authentication, a service account JSON file is now required. All existing Firebase push notification providers must be updated to include the service account JSON to maintain successful push notifications. Also, this change impacts the web service API. The server_key field is deprecated and replaced by the new service_account_json field. For more information on configuring push notification providers, see: Push notification registration.

  • Runtime Tuning Parameters

    The tuning of the runtime profile SSL connection properties is split into distinct values for inbound and outbound connections. Outbound connections use the existing Keystore, Keystore Label and Truststore properties. Inbound connections use the new Inbound Keystore, Inbound Keystore Label and Inbound Truststore properties. For more information, see Tuning runtime application parameters and tracing specifications.

  • Updated Hidden Macros

    The default value of the advanced configuration property sps.page.hiddenMacros is updated to include the macro @EXCEPTION_MSG@. Response pages that include the hidden macros will not include the macro value. For more information, see: Common advanced configuration properties.

  • Authentication Service Target URLs

    A new advanced configuration property is created to specify the list of allowed target URLs for an authentication service request. The property sps.authsvcTargetURLAllowList lists the valid URL regular expressions that can be used as a redirect target by the authentication service. The default value only allows targets in the same domain. For more information, see: Common advanced configuration properties.

  • SAML 2.0 and OpenID Connect Target URLs

    The property sps.targetURLWhiteList has been updated to only apply to SAML 2.0 and OpenID Connect target URLs. The default value now only allows targets in the same domain. For more information, see: Common advanced configuration properties.

Digital Credentials

  • Support for Verifiable Credentials

    A digital credentials service is available to support Verifiable Credentials. For more information, see Digital Credentials overview.

Federation

  • OpenID Connect provider metadata cache

    The metadata that an OpenID Connect relying party retrieves from an OpenID Connect provider is cached, so subsequent requests do not require a new retrieval each time. The cache’s entry lifetime and maximum size can now be configured using the advanced configuration properties oidc.rp.metadata.cache.lifetime and oidc.rp.metadata.cache.maxsize. For more information, see Common advanced configuration properties.

  • IBM Verify Identity Access OIDC Provider

    IBM Verify Identity Access OIDC Provider (IVIAOP) is released on a continuous release model. For a formal list of features and changes in the IVIAOP releases, see What's New.

Supporting Program Updates

Some licenses of IBM Security Verify Access bundled supporting software. The following updates to this software were made in this release.

  • IBM Security Verify Directory

    IBM Security Directory Server v6.4 and IBM Security Directory Suite v8.0.1 are no longer bundled with Verify Access. Migrate your environments to Verify Directory v10.0.

For more information, see the license documents here.