IBM Support

Inbound Keystore and Truststore Settings Become Default After Upgrading from Pre-10.0.9 Versions

Troubleshooting


Problem

MFA (Multi-Factor Authentication) and Federation functionality may stop working after upgrading from ISVA versions prior to 10.0.9 to ISVA 10.0.9 or later, or to IVIA 11.0.0 or later.

Symptom

  • Federation operations return errors
  • MFA may fail silently, allowing users to access pages without MFA authentication
  • Runtime Server responses return HTTP 503 errors when accessing the /mga junction on the reverse proxy

Cause

In ISVA 10.0.9, the Runtime Server certificate configuration was enhanced to allow separate settings for client-side (outbound) and server-side (inbound) operations.

Reference: What's new in ISVA 10.0.9

Runtime Tuning Parameters Enhancement:

The tuning of the runtime profile SSL connection properties is split into distinct values for inbound and outbound connections. Outbound connections use the existing Keystore, Keystore Label and Truststore properties. Inbound connections use the new Inbound Keystore, Inbound Keystore Label and Inbound Truststore properties.

What happens during upgrade:

When the ISVA/IVIA Runtime Server has customized server certificate settings:

  • Pre-upgrade settings are preserved as outbound (client-side) configuration
  • Inbound (server-side) configuration is reset to default values (Keystore Label: Unset)

When incorrect server certificates are used for inbound connections, access to the /mga junction on the reverse proxy returns HTTP 503 errors, causing MFA to fail.

Environment

  • Product: IBM Security Verify Access (ISVA) / IBM Verify Identity Access (IVIA)
  • Versions Affected: Upgrades from pre-10.0.9 to ISVA 10.0.9 or later, or IVIA 11.0.0 or later
  • Component: Runtime Server

Diagnosing The Problem

  1. Enable pdweb.debug tracing and verify that the Runtime Server response returns HTTP 503 errors.

  2. Check Runtime Parameters:

    Navigate to LMI > AAC > Runtime Parameter page
    Verify that the Keystore and Keystore Label have been customized from default values

    Default values:
      Keystore: rt_profile_keys
      Keystore Label: Unset

If the Inbound Keystore and Inbound Keystore Label are set to default values while the outbound settings are customized, this indicates the issue.

Resolving The Problem

Configure the inbound (server-side) certificate settings to match your customized server certificate configuration:

  1. Log in to the LMI (Local Management Interface)
  2. Navigate to AAC > Runtime Parameter page
  3. Set the correct server certificate values for:
    Inbound Keystore
    Inbound Keystore Label
  4. Deploy the changes and restart the Runtime Server if necessary

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRN3F","label":"IBM Verify Identity Access"},"ARM Category":[{"code":"a8mKe0000008OfJIAU","label":"Verify Identity Access"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.0;11.0.1;11.0.2;11.0.3"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRGTL","label":"IBM Security Verify Access"},"ARM Category":[{"code":"a8m0z000000cxuMAAQ","label":"Security Verify Access-\u003EAdvanced Access Control"},{"code":"a8m0z000000cxugAAA","label":"Security Verify Access-\u003EFederation"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.9"}]

Product Synonym

ISVA; IVIA

Document Information

Modified date:
11 May 2026

UID

ibm17272516

Page Feedback