What's new in this release

The Web reverse proxy now supports the ‘proxy protocol’ for the receipt of connection information from a proxy which sits in front of the Web reverse proxy. See Proxy Protocol Support.

The Web reverse proxy now provides the ability to define rules to permit or deny connections based on the client IP address. See Client IP Rules.

A change has been made to the format of the tokens which are used for persistent sessions which means that tokens which have been created by an earlier version of Verify Access will no longer work. Users will be prompted to re-authenticate if an older token is provided to the Reverse Proxy. For more information on persistent sessions, see Persistent Sessions.

A new administrator setting has been added to allow a timeout to be set for LMI notification messages. The default timeout is set as 5 seconds. Setting a value of 0 removes the timeout and messages will remain until manually closed. To update this entry, see Configuring administrator settings.

The IBM License Metric Tool (ILMT) container now supports IBM Security Verify Access. By using the ILMT container, administrators are able to automate license usage and auditing for deployments which use Kubernetes infrastructure and are based on a processor based licensing model. To deploy the ILMT container with Verify Access, see License usage with IBM Security Verify Access deployed on Kubernetes.

Remote Syslog forwarding capabilities has been added for the nCipher watchdog and hardserverlog files. These log files can now be collected by a remote logging server where they can be centrally managed. To set up a remote syslog server for IBM Security Verify Access, see Forwarding logs to a remote syslog server.

It is now possible, when configuring a junctioned server in the Web Reverse Proxy, to specify a priority value for the server. See Adding multiple back-end servers to the same junction.

It is now possible to generate a HTTP header, from a credential attribute, which is inserted into requests sent to any junction. See Adding a HTTP header for all junctions.

To help improve the start-up time of Docker containers the verification of files on the file system is now controlled by the VERIFY_FILES environment variable. See Docker Image for Security Verify Access.

A new container image has been created which embeds the AAC and Federation runtime. See Docker Image for Verify Access Runtime.

Support for a Kubernetes start-up probe has been added to the embedded health check script. See Kubernetes support.

A new container image has been created which provides the Distributed Session Cache capabilities. See Docker image for Verify Access Distributed Session Cache.

It is now possible to configure the Web reverse proxy to send audit records in JSON format. See audit-json.

The junction cookie can now be returned to clients as a standard HTTP cookie. See Inserting the junction cookie as a standard HTTP cookie.

It is now possible to enable and disable SSL/TLS protocols on a per junction basis. See [junction:<jct-id>] stanza

The snoop tracing for the Web Reverse proxy can now be activated on a per junction basis. See junction-specific-snoop.

When a remote LDAP user registry is configured for management authentication the DN of a client certificate can now be mapped to a new format using a Javascript function. See Configuring management authentication.

It is now possible to set global configuration entries for TFIM SSO style junctions. See Single sign-on Security Token Service.

Support has been added to log administrator requests to the Local Management Interface (LMI). The output format of this log can be customized using an administrator setting. See Configuring administrator settings.

You can now configure additional HTTP headers which will be sent to the OAuth introspection endpoint. See http-header.

A new command has been added to the FIPS Command Line Interface (CLI) menu on FIPS enabled appliances. This command scans the appliance file system and validates that the firmware has not been modified. To learn more about FIPS Compliance, see FIPS 140-2.

Two new management authorization roles have been added: Full Read which permits read access to all Local Management Interface (LMI) URLs and Full Write which permits write access to all LMI URLs. Unlike existing authorization roles, Full Read and Full Write do not use a feature list and do not need to be updated when an appliance is upgraded. See Managing roles of users and groups.

The memory, storage, CPU and interface monitoring statistics can now be returned for shorter ranges. See Monitoring.

The virtual appliance now supports the unified CloudWatch agent which can be used to report on metrics from the virtual appliance in a Amazon Web Services (AWS) environment. See Configuring Amazon CloudWatch support.

The AAC configuration wizards, which are used to configure the Web reverse proxy as a point of contact, have been modified so that the automatic retrieval of the server certificate from the runtime profile is now optional. This allows the configuration to successfully complete even when the AAC runtime server is not available. This impacts the MMFA Configuration, OAuth and OpenID Connect Provider Configuration, Authentication and Context Based Access Configuration, and IBM Verify Gateway Configuration wizards.

It is now possible to perform CN and Subject Alternative Name validation on certificates which are provided by Junctioned servers. See Matching the common name (CN) and subject alternative name (SAN).

It is now possible to restrict the creation of HTTP Header indexed sessions to include only those HTTP headers which have been used in the authentication process. See require-auth-session-http-hdrs.

It is now possible to forward messages to a remote syslog server using the syslog format defined in RFC5424. See Forwarding logs to a remote syslog server.

In the RSA SecurID configuration the ability to provide a sdopts.rec file has been added. This allows the specification of the IP address that the SecurID authentication method should use. See Managing RSA SecurID configuration.

For new installations of IBM Security Verify Access the legacy cross-domain single-sign-on (CDSSO) and e-community single-sign-on (eCSSO) authentication mechanisms have been deprecated. In these environments a more modern federated single-sign-on protocol should be used. These authentication mechanisms will however continue to work in an environment which has been upgraded from an older version of Verify Access.

The query contents capability of the Web Reverse Proxy has been deprecated. This legacy capability allowed the Web Reverse Proxy to send a Web request to a junctioned server to determine the composition of the policy object space for the junction. This has no impact on the ability to attached ACLs and POPs to any location under a junction.

Support is now added for updating LDAP User Registry attributes when you are performing password authentication using AAC AuthSvc. Administrators can now update LDAP attributes which record the number of failed password attempts and the last successful login time. This capability is available from either the Username/Password authentication mechanism, or using the UserLookupHelper in an InfoMap authentication rule. See Configuring username and password authentication.

The Apple Push Notification Provider has been updated to use the new HTTP/2 Apple Push Notification serviceAPI. The previous implementation was based on the Binary Provider API, which has been decommissioned by Apple and is no longer available. Migration of configuration data relating to Apple Push Notification Service will be done automatically on upgrade. See Push notification registration.

Multiple new request context attributes have been added for use in AAC Mapping Rules. See Authentication policy parameters and credentials. The Target URL is also now available as a default macro, @TARGET@.

A new helper has been added which allows administrators to complete other authentication service policies within an InfoMap step without having to use HTTP requests to the authentication service. For more details and a simple example, see Execute authentication service policies in an Info Map

The appliance firmware no longer embeds a sample geo-location database. A free database which can be used is available from the MaxMind site (https://www.maxmind.com). See Updating location attributes.

The LocalFIDOClient helper has been updated to allow a custom challenge to be specified in both the assertion and attestation options requests. See Local FIDO Client.

Support has been added for storing Authentication Service user sessions in Redis via the Distributed Map (DMap) when cookie-less is enabled. See Configuring the authentication and access module for cookieless operation and Server connection properties.

The HVDB value for authsvc.stateMgmt.store has been removed. The HVDB can still be used as the cookie-less store, configured instead via the new DMap implementation, which supports HVDB as a store.

FIDO2 short-lived data is stored in the DMap and will be impacted by the new DMap store configuration. See Advanced configuration properties.

The RSA SecurID Authentication agent used by the RSA One-Time Password mechanism has been deprecated and is no longer supported. See RSA SecurID Authentication API.

Instead use the RSA SecurID mechanism which utilizes the REST-based Authentication API. See Configuring an RSA one-time password mechanism. To enable the Authentication API on the Authentication Manager, see How to set up the REST RSA SecurID Authentication API for Authentication Manager 8.2 SP1.

The LocalFIDOClient helper has been updated to include a new function that can be used to exchange a rpId for the Relying Party configuration ID. See Local FIDO Client.

An InfoMap based integration with IBM Security Verify Gateway has been added. Two Verify Gateway wizards have been created in the LMI to ensure all the required configuration is performed, located under the Reverse Proxy Manage menu, and a new AAC menu item IBM Security Verify Gateway. See IBM Security Verify Gateway.

The IBM Security Verify Access Federation component now supports the PS signing algorithm. See JWT Support.

Token Exchange can now be enabled as OAuth2 grant type on IBM Security Verify Access. See OAuth 2.0 and OIDC workflows.

IBM Security Verify Access now supports storing HTTP sessions and Protocol specific sessions into Redis. See Server connection properties.

The appliance firmware no longer embeds a copy of the Federation connector templates. The template package is available for download from IBM Security App exchange. See Managing federation partner templates.

SAML 2.0 service provider partners now supports regular expression based signature validation for assertion during Single Sign On flows. See SAML 2.0 Service Provider Partner Worksheet.

Support has been added to the Local Management Interface (LMI) to allow the Advanced Access Control and Federation session persistence stores and consumers to be configured through their own UI page. See Managing Session Persistence.