What's new in this release

IBM® Security Access Manager provides new features and extended functions for Version 9.0.3.

Access Manager Platform

  • Distributed session cache supports the Web Reverse Proxy switch user function

    The Web Reverse Proxy (aka WebSEAL) switch user functionality is now supported by the distributed session cache. The switch user function enables administrators to become other users without knowing their account authorization information such as password.

  • Control which data to include in the support file

    When you create a support file, you can select which data (categories and instances) to include in the support file. With this function, you can create smaller support files that contain only the information you need. See Managing support files.

  • Thales nShield Connect version update

    The appliance embeds Thales nShield client software v12.30 (hardserver version 3.67.11). See Configuring network Hardware Security Module (HSM) support.

  • The policy_db_dump CLI command

    You can validate and maintain the Security Access Manager policy database with the policy_db_dump CLI command. See Command-line interface.

  • Appliance trial

    An appliance trial can be activated by uploading a trial certificate. See Managing trial settings.

  • Testing TCP or SSL connection with the LMI

    In addition to using the CLI command, you can now test a TCP or SSL connection by using the LMI. See Testing the connection.

  • Loopback interface

    You can configure a loopback interface, which is useful for load balancing using the direct routing method. See Configuring interfaces.

  • Running CLI commands through web service calls

    A generic web service is available which can be used to programmatically invoke most CLI commands. See Command-line interface.

  • Export the internal runtime database

    Export the current runtime data from the internal database so that it can be imported into an external database of the chosen type. See Runtime database.

  • Red Hat Enterprise Virtualization (RHEV) support

    You can run the virtual appliance in a Red Hat Enterprise Virtualization (RHEV) environment. See Installing the virtual appliance by using Red Hat Enterprise Virtualization (RHEV).

  • Microsoft Hyper-V support

    You can run the virtual appliance in a Microsoft Hyper-V environment. See Installing the virtual appliance by using Microsoft Hyper-V.

  • Microsoft Azure support

    You can deploy Security Access Manager to Microsoft Azure environments. See Microsoft Azure support.

  • Customizing the SSHD port setting

    Customize the SSHD port by modifying the SSHD port parameter on the Administrator Settings LMI page. See Configuring administrator settings.

  • Installing the virtual appliance by using the provided OVA file

    A pre-installed appliance image is provided in the form of an OVA file that can be imported into VMware. See Installing the virtual appliance by using the OVA file.

Advanced Access Control

  • Batch multiple authorization requests in one RTSS request

    XACML 2 supports making requests based on multiple resources and receiving a decision for each resource. This feature is now available in the policy evaluator that RTSS uses when you make the request by using JSON formatted requests. For more details, see the REST API documentation.

  • Decision caching

    The appliance now supports decision caching of Advanced Access Control decisions. You can use the cba-cache-size stanza entry in the [rtss-eas] stanza along with the CBACacheResult extended attribute in the object space to enable decision caching. See cba-cache-size.

    You can also enable decision caching by using the Resources page in the LMI. See Managing access control policy attachments.

  • Defining a custom application for policy attachments

    Access control policies can now be deployed against custom application resources. See Managing access control policy attachments.

  • OAuth introspection

    An OAuth introspection endpoint compatible with RFC 7662 is available. See OAuth introspection.

  • The type of the username attribute in the JWT and SAML bearer grant type flow

    The type of the username attribute added must be "urn:ibm:names:ITFIM:oauth:rule:decision" to ensure that only a value populated from the rule is used. See Actions to be performed in mapping rules

  • FIDO Universal 2nd Factor mechanism

    With this authentication mechanism, users can authenticate by using registered FIDO Universal 2nd Factor tokens. See Configuring a FIDO Universal 2nd Factor authentication mechanism.

  • API Protection form post response mode support

    The appliance supports the form post response mode, which allows a client to make an OAuth authorization request and receive a self-posting form rather than a 302 response. See API Protection form post response mode.


  • REST API level validation of STS chain properties

    The Federation module now supports REST API level validation of STS chain properties. After upgrade from a previous release to Security Access Manager Release 9.0.3, if you perform a GET REST API call on the chain, you might find that some STS chain properties that were configured prior to the upgrade are now missing. The properties are missing because either a property name was invalid, or a property name had an invalid prefix. The missing properties can be ignored because in previous releases they had no effect during the execution of chains.

    If the invalid property name or invalid prefix was a user error, you as administrator can reset the property from either a REST API call or the LMI. The reset overwrites the previously stored invalid property.

    If a chain property has an invalid value, an error message might display after the upgrade, when the STS chain is updated from the LMI or by a REST API. In order for the chains to work correctly after an upgrade, you as administrator must fix the chain properties that cause the error messages.

  • Template page scripting

    You can use JavaScript to add server side scripting for Advanced Access Control and Federation template pages. JavaScript functions, closures, objects and delegations are supported. Use this feature, for example, to customize error messages that are displayed by the runtime server. See Template page scripting.

  • Connection to IBM Cloud Identity

    You can configure an IBM Security Access Manager deployment to connect with IBM Cloud Identity. This connectivity enables IBM Security Access Manager end users to single sign-on to IBM Cloud Identity, and then further single sign-on to cloud applications. The IBM Cloud Identity product offers single sign-on capability to cloud applications. See Connection to IBM Cloud Identity.