What's new in this release

Static HTTP headers can now be added to requests which are sent to junctioned servers. See header-data.

The management users, which can be used to authenticate against the Web UI, can now also be used to authenticate against the Command Line Interface (CLI). See Configuring management authentication.

When PostgreSQL is configured as the external config or runtime database, one or more failover servers can now be added. See Runtime database and Configuration database.

Statistics from the Reverse Proxy can now be published to a remote statsd server. Sending statistics to Statsd.

Pattern matching is now supported when matching snippet filter URI’s. See pattern-match-uri.

The Web Reverse Proxy can now be configured to automatically redirect HTTP requests to the corresponding HTTPS resource. See redirect-http-to-https.

The Web Reverse Proxy can now be configured to remember the username, which is used in a login form, and can also be configured to persist authenticated sessions across browser restarts. See Persistent Sessions.

The attributes which are returned from the credential viewer application can now be filtered. See attribute-rule.

The Web Reverse Proxy can now be configured to use a Redis server as an alternative to the Distributed Session Cache (DSC) for the remote storage of sessions. See Redis Session Cache.

The HTTP transformation rules capability of the Web Reverse proxy can now be used to control whether a particular request will appear in the request log or not. See XSL Transformation Rules.

An OpenLDAP server can now be used as the Security Verify Access user registry. See Installing and configuring the OpenLDAP Server.

The reverse proxy can now be configured to use the contents of a HTTP header as the client IP address in authorization decisions and auditing records. See client-ip-http-header.

The following junction configuration entries can now be customised on a per-junction basis: ping-time, ping-attempt-threshold, recovery-ping-time, recovery-ping-attempt-threshold and match-vhj-first. See [junction] stanza.

IBM Security Verify Access is supported on OpenShift 4.x. See Kubernetes support for information on setting up the Verify Access containers and see Docker image for OpenLDAP support for information on setting up the user registry.

Kerberos keyfiles are now shared with all added nodes in a clustered environment.

The health check script which is used in a Kubernetes environment has been improved to more reliably detect the health of the pods. See Kubernetes support.

The certificate expiry notifications which are generated by the appliance have been updated to include the name of the key database in which the expiring certificate resides.

The Web Reverse Proxy can now handle HTTP requests which contain the 'expect: 100-continue' HTTP header, as per section 8.2.3 of RFC 2616 (Hypertext Transfer Protocol – HTTP/1.1). See proxy-expect-header and expect-hdr-timeout.

Auditing is now enhanced for MMFA authenticator, authentication method, and transaction flows. You can turn on auditing in Audit Configuration. See Configuring auditing on the appliance. The audit events for authenticator and authentication method flows will have the type AUDIT_WORKFLOW.

The database clean-up threads have been modified to remove the lazy loading characteristics. This results in each thread starting when the runtime server is started (instead of when the first database transaction is requested). In addition administrators now have the ability to start and stop threads without impacting service availability (runtime restart no longer required). See Runtime database tuning parameters.

The IBM Security Verify Strong Authentication/API Integration is now updated to include support for the Factors endpoint (v2.0 of the initial Authentication Methods endpoint).

New methods for enrolling, managing, and verifying authentication factors are added to CiClient. See Embedded Cloud Identity API Calls in an Info Map Mechanism.

The out of the box mapping rules are updated to use the new CiClient methods. See Cloud Identity API Integration.

AAC user registry groups can now be managed. See Managing User Registries.

FIDO2/WebAuthn registration and authentication has been extended to include support for Apple platform authenticators (TouchID and FaceID) using Safari. This also includes the support for validating the Apple Platform Attestation Statement Format.

Enhancements have been made to FIDO capabilities to be compatible with the Level 2 specification of WebAuthn. All changes are backwards compatible with clients which only support the Level 1 specification. The example JavaScript FIDO2 mediator has also been updated with demonstration scenarios using Level 2 features.

A new JavaScript context variable "responseHeaders" is now added to InfoMap Authentication. By using this variable, an InfoMap author has been added to set custom HTTP response headers. The complete list of available context parameters can be found here: Available Parameters in Info Map.

When you are running IBM Security Verify Access on docker the AAC runtime server is now available via HTTP using port 80. See Scenario - AAC/Federation Runtime Configuration.

A new RSA SecurID authentication mechanism has been provided which utilizes the new 'RSA SecurID Authentication API' when communicating with the RSA Authentication Manager. See Configuring an RSA SecurID one-time password mechanism.

Federation user registry groups can now be managed. See Managing User Registries.

Support for runtime monitoring can now be enabled with Prometheus. See Runtime monitoring using Prometheus.