What's new in this release

The Web Reverse Proxy (aka WebSEAL) switch user functionality is now supported by the distributed session cache. The switch user function enables administrators to become other users without knowing their account authorization information such as password.

When you create a support file, you can select which data (categories and instances) to include in the support file. With this function, you can create smaller support files that contain only the information you need. See Managing support files.

The appliance embeds Thales nShield client software v12.30 (hardserver version 3.67.11). See Configuring network Hardware Security Module (HSM) support.

You can validate and maintain the Security Access Manager policy database with the policy_db_dump CLI command. See Command-line interface.

An appliance trial can be activated by uploading a trial certificate. See Managing trial settings.

In addition to using the CLI command, you can now test a TCP or SSL connection by using the LMI. See Testing the connection.

You can configure a loopback interface, which is useful for load balancing using the direct routing method. See Configuring interfaces.

A generic web service is available which can be used to programmatically invoke most CLI commands. See Command-line interface.

Export the current runtime data from the internal database so that it can be imported into an external database of the chosen type. See Runtime database.

You can run the virtual appliance in a Red Hat Enterprise Virtualization (RHEV) environment. See Installing the virtual appliance by using Red Hat Enterprise Virtualization (RHEV).

You can run the virtual appliance in a Microsoft Hyper-V environment. See Installing the virtual appliance by using Microsoft Hyper-V.

You can deploy Security Access Manager to Microsoft Azure environments. See Microsoft Azure support.

Customize the SSHD port by modifying the SSHD port parameter on the Administrator Settings LMI page. See Configuring administrator settings.

A pre-installed appliance image is provided in the form of an OVA file that can be imported into VMware. See Installing the virtual appliance by using the OVA file.

XACML 2 supports making requests based on multiple resources and receiving a decision for each resource. This feature is now available in the policy evaluator that RTSS uses when you make the request by using JSON formatted requests. For more details, see the REST API documentation.

The appliance now supports decision caching of Advanced Access Control decisions. You can use the cba-cache-size stanza entry in the [rtss-eas] stanza along with the CBACacheResult extended attribute in the object space to enable decision caching. See cba-cache-size.

You can also enable decision caching by using the Resources page in the LMI. See Managing access control policy attachments.

Access control policies can now be deployed against custom application resources. See Managing access control policy attachments.

An OAuth introspection endpoint compatible with RFC 7662 is available. See OAuth introspection.

The type of the username attribute added must be "urn:ibm:names:ITFIM:oauth:rule:decision" to ensure that only a value populated from the rule is used. See Actions to be performed in mapping rules

With this authentication mechanism, users can authenticate by using registered FIDO Universal 2nd Factor tokens. See Configuring a FIDO Universal 2nd Factor authentication mechanism.

The appliance supports the form post response mode, which allows a client to make an OAuth authorization request and receive a self-posting form rather than a 302 response. See API Protection form post response mode.

The Federation module now supports REST API level validation of STS chain properties. After upgrade from a previous release to Security Access Manager Release 9.0.3, if you perform a GET REST API call on the chain, you might find that some STS chain properties that were configured prior to the upgrade are now missing. The properties are missing because either a property name was invalid, or a property name had an invalid prefix. The missing properties can be ignored because in previous releases they had no effect during the execution of chains.

If the invalid property name or invalid prefix was a user error, you as administrator can reset the property from either a REST API call or the LMI. The reset overwrites the previously stored invalid property.

If a chain property has an invalid value, an error message might display after the upgrade, when the STS chain is updated from the LMI or by a REST API. In order for the chains to work correctly after an upgrade, you as administrator must fix the chain properties that cause the error messages.

You can use JavaScript to add server side scripting for Advanced Access Control and Federation template pages. JavaScript functions, closures, objects and delegations are supported. Use this feature, for example, to customize error messages that are displayed by the runtime server. See Template page scripting.

You can configure an IBM Security Access Manager deployment to connect with IBM Cloud Identity. This connectivity enables IBM Security Access Manager end users to single sign-on to IBM Cloud Identity, and then further single sign-on to cloud applications. The IBM Cloud Identity product offers single sign-on capability to cloud applications. See Connection to IBM Cloud Identity.