What's new in this release
IBM® Security Access Manager provides new features and extended functions for Version 9.0.7.
Access Manager Platform
- API Access Control
A new API Access Control component has been added that provides a simple way to configure IBM Security Access Manager to protect a RESTful API. See API Access Control.
This includes:- A simplified configuration of the existing components used when using IBM Security Access Manager to protect an API.
- Allowing mapping of multiple URL aliases to the actual API path.
- Enabling IBM Security Access Manager to serve documentation for the API.
- Enhanced support for POP authorization using credential attribute matching. See Using Credential Attributes in Authorization Decisions.
- OAuth Introspection
The Web Reverse Proxy is now able to use an OAuth Introspection end point to validate an OAuth token. See OAuth Introspection.
- HTTP Transformation Rules
The XML representation of the HTTP Response object now makes available all of the elements of the HTTP Request object to be used in the response transformation. See HTTP Transformation Rules.
HTTP Transformation Rules now supports regular expressions which can be used to match and replace strings. See XSL Transformation Rules.
HTTP Transformation rules can now be used to specify the ACL bits which are used in the authorization decision for the request. See XSL Transformation Rules.
- Internal Redirects
WebSEAL can now use the location header in a 302 response to determine whether the redirect should be sent back to the client or handled internally. See follow-redirects-for.
ignore-svc-unavailable
Use
ignore-svc-unavailable
to control whether WebSEAL handles a 503 'Service Unavailable' from a back-end server or returns it to the client. See ignore-svc-unavailable.- Configurable Login Banner
Users can now customize the login page of the Local Management Interface (LMI) on the appliance. See Local management interface.
- Rate limiting
A rate limiting policy file can now contain multiple matching criteria. This allows a single rate limiting policy file to be used to rate limit multiple distinct resources. See Rate Limiting.
- Web Content Protection
The Web Content protection capability of the Web Reverse proxy is updated so that the user name and browser information fields can now be included in the audit record for dropped connections. See pam-fail-early. An option is now also provided to use a string representation of the time in the audit record. See pam-use-epoch-time.
- Pending Changes
A summary of pending changes for all users can now be viewed and managed using the Command Line Interface (CLI). See Command-line Interface.
- Recursive Object Delete
The 'object delete' pdadmin command, available through the CLI or the '/isam/pdadmin' Web Service, is now extended to allow a recursive delete of objects in the object space. See object delete.
- Reverse Proxy Sessions
The reverse proxy can now store non-cookie based sessions in a local session cache when the distributed session cache is enabled. See dsess-support-local-sessions.
- Support for Transport Layer Security (TLS) version 1.3
WebSEAL now provides the support for TLS v1.3 for SSL and junction connections. See [ssl] disable-tls-v13 and [junction] disable-tls-v13.
- WebSEAL Password Update Callouts
WebSEAL can now be configured to make a REST call before and after a user password is updated. See password-callouts.
- Network Key Files (HSM device support)
The SafeNet Luna Network HSM and nCipher nShield Connect driver files are no longer embedded within the IBM Security Access Manager firmware. The required files are now available for download as an appliance extension from the IBM Security App Exchange. See https://exchange.xforce.ibmcloud.com/hub/IdentityandAccess.
- ISAM Docker Container
The ISAM Docker container no longer needs to run as the root user. It will now be run as the 'isam' user (uid: 6000). See Docker Image for Security Access Manager.
- ISAM Docker Container handling of log files
Containers now store log files in container specific directories on the log volume. See the "Log files" section in Docker Image for Security Access Manager.
- RedHat OpenShift support
The ISAM Docker container is now supported on the RedHat OpenShift platform. See Kubernetes Support.
Advanced Access Control
- SCIM updates
The new End-User License Agreement (EULA) scimlet provides a mechanism to manage user data through the SCIM API. See Resource Schemas
- Oracle Database Support
SSL connectivity to Oracle Database is now improved when you are deploying an external Oracle Database as the Configuration Database or Runtime Database. See Deploying an external configuration database and Deploying an external runtime database.
- FIDO2 and WebAuthn Support
Users can now register and authenticate with FIDO2 and WebAuthn authenticators. See FIDO and WebAuthn Support.
Federation
- Dynamic level MappingRules TraceString utilities
Ability to set log level when using the IDExtMappingUtils traceString function. For more information, see the Javadoc. In the LMI, navigate to
. Continue to . - Customize AuthnContextClassRef values
Customize the AuthnContextClassRef values using the mapping rule. See Customizing AuthnContext using identity mapping rule.
- Support for Dynamic ACS URLs with regular expression
A new configuration parameter
saml20.idp.acsurlpattern
is added. This parameter allows regular expression matching for the AssertionConsumerService URL and the protocol endpoint, so that a dynamic AssertionConsumerService URL that matches the regular expression can be provided in the AuthnRequest. See Advanced Configuration Properties. - Support for Kerberos STS Module
The IBM Security Access Manager Federation component now supports the Kerberos STS module in
Validate
mode. See Kerberos Module.