News
Abstract
This document is being provided as an active compilation of known issues or concerns with an upgrade to the latest release that are encountered in the field.
Content
GENERAL BEST PRACTICE
- Review What's new in this release (https://www.ibm.com/docs/en/sva/11.0.1?topic=overview-whats-new-in-this-release)
- Review Critical changes in this release (https://www.ibm.com/docs/en/sva/11.0.1?topic=critical-changes-in-this-release)
- Review the upgrade readme file
- Verify supported upgrade path (https://www.ibm.com/support/pages/node/6340107)
- Review all reported APARs fixed (Known Issues fixed by IBM Verify Identity Access version 11.0.1)
- Create and download snapshots and complete support files before the upgrade
- Clean up logs, rolled over logs, snapshots, and support files, they get copied over to the new active partition that causes the upgrade to take longer to complete
- Review Software Product Compatibility Reports to ensure related software such as databases are supported (https://www.ibm.com/software/reports/compatibility/clarity/index.html) (Compatibility Report for 11.0.1)
- Upgrade Consideration when HVDB/Config DB is externalized into DB2 Database. When db2update9.zip scripts are run against externalized HVDB/Config to propagate schema changes as part of the upgrade please consider running db2 reorg on the database. Use "db2 "SELECT REORG_PENDING FROM SYSIBMADM.ADMINTABINFO where TABSCHEMA='DB2INST1' and tabname='TEST1'" to check whether any table is in reorg pending stat.
- See IBM Verify Identity Access v11.x DB2 Schema File Includes REORG Operation for important schema updates introduced in version 11.
IVIA 11.0.1
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.6 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
For 10.0.6.0+ use /updates/available in the LMI to check for new updates. The "Download Firmware Update" button will navigate directly the 11.0.0 Fix Central download page.
*** Known Issues ***
IVIA 11.0.0
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.6 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
For 10.0.6.0+ use /updates/available in the LMI to check for new updates. The "Download Firmware Update" button will navigate directly the 11.0.0 Fix Central download page.
***Known Issues***
Depending on where you download the .pkg upgrade file may have a different name. For example it may have been named IISVAVE0_1.0_MP_ML.pkg when you downloaded it.
You will need to rename this file to
You will need to rename this file to
ivia_11.0.0.0_20241212-0045.pkg
When you are upgrading from ISVA 10.0.9 you may also need to change the name if it does not show up in the list after you upload it. In this case please rename the file to the following before uploading it to the appliance:
isva_11.0.0.0_20241212-0045.pkg
To protect itself against Denial-of-Service attacks, the IBM Liberty server 24.0.5 (which is used as of IVIA 10.0.9 and 11.0.0) and later introduced the new "limitFieldSize" limit which enforces size limits on various HTTP fields, such as request URLs, or individual header names or values. The default value is 32k. An error is returned to the remote client, if a field exceeds the allowed size. If you have larger header sizes than this and are getting errors after upgrading, You can increase this limit by adding an Advanced Tuning Parameter (ATP) via the LMI (System > Advanced Tuning Parameters).
For example, if you have a HTTP request have fields iv-creds value over 32k and you need to increase this setting..
- Create a support file from your appliance, then download and unzip it.
- Check the /etc/settings.txt from the support file for the number of runtime endpoints configured. Open the settings.txt and search for "runtime_profile.endpoint." Then you will see "runtime_profile.endpoint.port.1" , "runtime_profile.endpoint.port.2" If you have more than 2 then "runtime_profile.endpoint.port.3"......etc
- You will need to specify one ATP for each endpoint so that it applies to all of them. For example, if there are three "runtime_profile.endpoint.port".
Then you can add the following Advanced Tuning Protocol (ATP) entries via System > System Settings: Advanced Tuning Parameters:
Key: runtime_profile.endpoint.httpOptions.1
Value: limitFieldSize=<value> bigger than 32k
Key: runtime_profile.endpoint.httpOptions.2
Value: limitFieldSize=<value> bigger than 32k
key: runtime_profile.endpoint.httpOptions.3
Value: limitFieldSize=<value> bigger than 32k
Cluster auto restart/reload requires a fixpack. Open a support ticket and ask for cluster_runtime_restart_fix for the appropriate version.
The embedded SNMP agent does not work with version 3C (authPriv). Open a support ticket and ask for DT425323_snmp_protocol_fix for the appropriate version.
Username mapping modules that are written for client-cert authentication do not properly parse x509 extension. This is being investigated with Known Issue DT426475.
Authorization Server logs cannot be viewed in the LMI but they can be downloaded. Open a support tick and ask for DT423997_view_pdacld_logs_fix.
Export of WRP does not include all the files. This is being investigated with Known Issue DT431953.
LMI integration with an OIDC OP requires special Advanced Tunings. Consider the security implications before implementing.
lmi.liberty_option.httpEndpoint/SameSite.none = WAS*
lmi.liberty_option.httpEndpoint/SameSite.strict = *
lmi.liberty_option.httpEndpoint/SameSite.none = WAS*
lmi.liberty_option.httpEndpoint/SameSite.strict = *
lmi.liberty_option.webAppSecurity.sameSiteCookie = Disabled
The Policy Server is unable to start after upgrading from 10.0.9 to 11.0.0. Open a support ticket and ask for the fix for Known Issue DT436100 policyserver_not_starting_10090.fixpack. This can be applied before or after the upgrade to v11.0.0. This only apply when upgrading from 10.0.9 to 11.0.0
The Liberty version in use enforces strict hostname verification. For example, you may see something similar to the following when connecting to an external DB2 HVDB,
SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [db2.lab.org]. The host name used to access the server does not match the server certificate's [Subject Alternative Name [dnsName:db2.test.org]]. The extended error message from the SSL handshake exception is: [No subject alternative DNS name matching db2.lab.org found.].
If setting a local host alias is not an option, then set the following Advance Tuning Parameters in the LMI at /adv_params,
lmi.liberty_option.ssl.skipHostnameVerification: db2.lab.org
runtime_profile.liberty_option.ssl.skipHostnameVerification: db2.lab.org
Multiple hostnames can be set by creating a comma separated list with no spaces.
10.0.9 See the 11.0.0 section above. Support recommends upgrading to IVIA 11.0.0.
10.0.8
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.6 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
For 10.0.6.0+ use /updates/available in the LMI to check for new updates. The "Download Firmware Update" button will navigate directly the the 10.0.8.0 Fix Central download page,
**NOTE**
- Before upgrading the firmware the Glowroot extension at https://appliance_lmi_hostname/extensions must be disabled. Set "LMI Server Monitoring = Disabled" and "Runtime Server Monitoring = Disabled". Do not reenable after the upgrade. Support recommends Deleting and reinstalling the extension. The 1080 version requires using the latest version of the Glowroot Extension from the AppExchange (https://exchange.xforce.ibmcloud.com/hub/extension/d7a4b990084a0d7ad9b48557db9dc25f) and the glowroot-0.14.2-dist.zip from Glowroot.
========
10.0.8 also includes an upgrade to Java version 17 for the LMI and Runtime Application Server. Java 17 now is stricter as far as enforcing the rules for hostnames in the SNI it receives for connections...
Because of this, if you are using hostnames with characters that are not part of the official RFC specifications (for example using an underscore ( _ ) character as part of the hostname, then when this hostname is received by the LMI or Runtime Application Server as the SNI on the TLS connection, it will get rejected and the connection will fail and log an exception in the logs containing "Illegal server name" and
Caused by: java.lang.IllegalArgumentException: The encoded server name value is invalid
at java.base/javax.net.ssl.SNIHostName.<init>(Unknown Source)
... 26 more
Caused by: java.lang.IllegalArgumentException: Contains non-LDH ASCII characters
at java.base/java.net.IDN.toASCIIInternal(Unknown Source)
at java.base/java.net.IDN.toASCII(Unknown Source)
at java.base/javax.net.ssl.SNIHostName.<init>(Unknown Source)
... 26 more
Caused by: java.lang.IllegalArgumentException: Contains non-LDH ASCII characters
at java.base/java.net.IDN.toASCIIInternal(Unknown Source)
at java.base/java.net.IDN.toASCII(Unknown Source)
You must switch to hostnames which confirm to RFC 1123 and RFC 952.
========
The following exception may be seen for OAUTH/OIDC flows,
tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils E getOidcDefinition org.postgresql.util.PSQLException: The column name INCLUDE_ISS was not found in this ResultSet.
The above notes Postgresql but it may happen when using Oracle or DB2 as well. Open a support ticket and ask for the fixpack named include_iss_resultset_fix_10080.fixpack. Support recommends applying this fixpack immediately after upgrading to avoid hitting the issue.
10.0.7
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.6 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
For 10.0.6.0 use /updates/available in the LMI to check for new updates. The "Download Firmware Update" button will navigate directly the the 10.0.7.0 Fix Central download page,
**NOTE**
- Upgrading to 10.0.7 may cause Reverse Proxy instances with SPNEGO to fail when restarted. Open a support case and ask for DT258624_10070.fixpack.
- The AAC/Federation Runtime /metrics endpoint may not start. Open a support case and ask for updt_liberty_metrics.fixpack.
- Container Infrastructure
The convenience OpenLDAP container that is shipped with prior releases is no longer updated or maintained. The container deployment of IBM Security Verify Directory can be used as a comparable alternative.
-
See IBM Security Verify Access v10.0.7 - WebSEAL Transformation Rule Extensions HTTP Transformation enhancements.
10.0.6
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.5 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
The online automatic update service is concluded. The 10.0.6 version is not available to download automatically by using "Available Updates" in the LMI.
The online automatic update service is concluded. The 10.0.6 version is not available to download automatically by using "Available Updates" in the LMI.
See Critical changes in this release and What's new in this release in the documentation.
Upgrades on existing appliances prior to 10.0.4 require a fix pack to be installed before the PKG is uploaded. See IBM Security Access Manager & Security Verify Access Upgrade Paths for details.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
The online automatic update service is concluded. The 10.0.5 version is not available to download automatically by using "Available Updates" in the LMI. This feature was removed in 10.0.5.
The container images are not being uploaded to Docker Hub (as ibmcom is leaving Docker Hub) but instead to IBM Cloud Container Registry. The most authoritative index of available images is at IBM Security Verify Access Containers.
The documentation notes, "The Policy Directory Java™ library (PD.jar) has been updated to support both IBM® Java 1.8 and OpenJDK 11." There are problems in the 10.0.5 PD.jar, so use the 10.0.2.0 PD.jar level with IBM Java 1.8. If you do not have a 10.0.2.0 environment available, contact Support to obtain this file.
There is a problem with the dbupdate9 scripts for DB2. The cluster_config_db2_update_202210191.sql file has a hardcoded instance name at line 45, "REORG TABLE DB2INST1.ISAM_AUDIT_HANDLERS;". The work-around is to remove the instance name.
10.0.4
See Critical changes in this release and What's new in this release in the documentation.
Java APIs
The 10.0.3 version changed to OpenJDK 11 from IBM JVM 8. The PDJRTE APIs do not support OpenJDK yet. Existing deployments that use IBM JVM 8 for APIs and Policy Server version 10.0.4.0 it is recommended to move up to at least pdjrte-10.0.2.0.zip. This file is available for download in the LMI at https://appliance_lmi_hostname/isam/downloads -> isva -> pdjrte-10.0.2.0.zip. If you do not have a 10.0.2.0 environment available, contact Support to obtain this file.
10.0.3
SSL Certificate Replication across the cluster:
In ISVA 10.0.3, the product changed from using the IBM proprietary kdb format for key databases to the standard pkcs12 (p12) format. The upgrade automatically converts the files from kdb to p12. However, when the ISVA cluster configured to replicate the key databases from the primary master to the other cluster nodes, this replication can cause issues with cluster members not yet upgraded. The replication causes cluster members, not yet upgraded, to fail since the replication removes the kdb files and replaces them with p12 files. Upgrading the cluster members as soon as possible resolves this problem.
With 10.0.3.1 a change was implemented to make this transition a bit more forgiving. Once the primary master is upgraded, it replicates both the new p12 files and the old kdb files to the nodes so that the nodes not yet upgraded continue to function.
However, once you make any changes to the key database, at that point the kdb key database is removed from the primary master and the rest of the cluster.
The admin needs to be aware that once the primary master is upgraded to 10.0.3.1, they cannot make any changes to any key database that is being used by a cluster member not yet upgraded.
As documented, https://www.ibm.com/docs/en/sva/10.0.3?topic=overview-upgrading-current-version, the primary master must always be upgraded first to avoid problems in the cluster. With this keystore change, the upgrade order is even more important. If SSL keystore replication is enabled and you start the upgrade on the primary, this WILL break that node. Always start with the primary master.
Upgrading from 10.0.2.0:
APAR IJ36986 (UPGRADE: UNABLE TO MOUNT UPGRADE PACKAGE) addressed in 10.0.3.1 does not fix previous versions. A fix pack must be installed on 10.0.2.0 prior to attempting the upgrade. Contact Support for the fix pack.
Use of URL macro with LRR:
The URL macro gets expanded to an absolute URL instead of a relative URL like it did in previous versions. This APAR is fixed in IJ36413 and IJ41545 in 10.0.4.0_IF1. Contact Support for a fix pack specific to 10.0.3.1. Future versions use the option
[server]
allow-url-macro-to-be-relative = true
allow-url-macro-to-be-relative = true
Certificate label settings are now case-sensitive
TLS settings pointing to a certificate label are now case-sensitive. For example, the WRP config file uses,
[ssl]
webseal-cert-keyfile-label = frontend_label
to specify the cert to use for front end traffic. If the label in the keystore is actually FRONTEND_LABEL, WebSEAL starts but does not respond to any requests.
[ssl]
webseal-cert-keyfile-label = frontend_label
to specify the cert to use for front end traffic. If the label in the keystore is actually FRONTEND_LABEL, WebSEAL starts but does not respond to any requests.
Federation SSO flows require complete certificate chains
With the change to OpenJDK, Federation now requires the full CA certificate chain entries for signing and encrypting keys. In previous versions, only the key was required in the keystore. Contact Support for a fix pack specific to 10.0.3.1 that can be used to revert the behavior in IJ38991.
Java APIs
The new pdjrte-10.0.3.1.zip is designed for use with OpenJDK 11. It does not work with IBM JVM 8. Existing deployments that use IBM JVM 8 for Java APIs and Policy Server version 10.0.3.1 it is recommended to move up to at least pdjrte-10.0.2.0.zip. If you do not have a 10.0.2.0 environment available, contact Support to obtain this file.
Federation SAML flows that use WS-Trust for identity mapping
Federation flows that use an external WS-Trust server for Identity Mapping can fail. Contact Support for a fix pack specific to 10.0.3.1.
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRGTL","label":"IBM Security Verify Access"},"ARM Category":[{"code":"a8m0z000000cxuHAAQ","label":"Security Verify Access"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.3;10.0.4;10.0.5;10.0.6;10.0.7;10.0.8;10.0.9"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRN3F","label":"IBM Verify Identity Access"},"ARM Category":[{"code":"a8mKe0000008OfJIAU","label":"Verify Identity Access"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.0"}]
Product Synonym
ISAM;ISVA;IBM Security Access Manager;IBM Security Verify Access;IVIA
Was this topic helpful?
Document Information
Modified date:
02 July 2025
UID
ibm16557516