What's new in this release

It is now possible to configure WebSEAL to wait, on shutdown, for outstanding Web requests to be processed. See max-shutdown-quiesce-wait-time.

WebSEAL can now be configured to display a warning message when the SSL session renegotiation rate between clients and WebSEAL reaches a specified threshold. See ssl-reneg-warning-rate.

It is now possible to configure WebSEAL to flush specific cookies in the browser when an initial request is made from the browser. This provides a mechanism to clear stale cookies which might be present in the browser. See flush-cookie.

The WebSEAL failover cookie can now also be used for failover authentication when the session has been established using the native WebSEAL OIDC RP authentication mechanism. See Failover cookie.

A new WebSEAL template macro has been created which allows a WebSEAL translated message to be inserted into a WebSEAL error or management page. The out-of-the-box WebSEAL error and management pages have also been converted to use these message macro’s, replacing the previous translated pages. See Macro resources for customizing response pages.

A new configuration item has been added to the WebSEAL configuration file, ‘enabled-html-languages’, which allows an administrator to enable and disable specific languages, used by WebSEAL when generating error or management responses. See Disable Specific Languages.

WebSEAL currently supports the transmission of statistical information to a statsd server. It is now possible to specify a prefix for the name of the metrics which are sent to the statsd server. See Sending statistics to Statsd.

It is now possible to disable the insertion of a P3P header into a WebSEAL response. See enable-p3p.

A specific IPv4 management address can now be elected as the Primary Address. A Primary Address is the IP address that will be associated with the system hostname in the system hosts file. See Configuring interfaces.

The command line interface is now updated to allow administrators to list the installed extensions on a appliance and remove an installed extension. This allows administrators to remove an extension even if the management interface of the appliance becomes unresponsive.

Support for Glowroot for the management interface

The IBM Security Verify Access Extension for Glowroot is now updated to allow monitoring of the Management (LMI) server. Administrators can monitor the performance of both the Runtime and LMI application servers by using Glowroot.

A new extension is available from IBM Security App-Exchange which uploads and install the Instana monitoring agent on Virtual Appliance deployments of IBM Security Verify Access. This agent collects hardware and application metrics and sends this information to your Instana cloud tenant. See https://www.instana.com/ to learn more about the Instana monitoring capabilities.

The integration guides for Java application servers are now updated to use JWT authentication. User and group information can be supplied by WebSEAL by using a standards based format which is cryptographically verified. Integration guides are available to integrate JBoss, Wildfly, Liberty, and Tomcat application servers with IBM Security Verify Access. See IBM WebSphere Liberty SSO.

The Extension endpoint has been updated to capture the log output from installation scripts. This log file can be reviewed in the Application Log Files section of an appliance in the Extensions directory.

It is now possible to implement HTTP transformation rules in the Lua scripting language. See HTTP transformations.

It is now possible to configure a different pool of WebSocket worker threads for different interfaces. See Defining extra interfaces.

Subject Alternate Name (SAN) fields are now available to certificate EAI applications. See eai-data.

It is now possible to migrate the runtime environment from one appliance to another. See Exporting the runtime environment configuration.

The progress of the appliance bootstrapping is now displayed on the appliance console while the appliance is booting.

The list junction management API now supports a new query string parameter. If the query string parameter detailed=true is supplied with the request, then detailed junction configuration is retuned along with the existing name and type attributes. See Junctions.

A Luna SafeNet HSM device can now be used to manage cryptographic keys in a containerized environment.

It is now possible to enable JSON based console logging in the configuration container by setting the LOGGING_CONSOLE_FORMAT and LOG_TO_CONSOLE environment variables. See Docker image for Security Verify Access.

It is now possible to send system alerts to the console of the configuration container, by setting the LOG_TO_CONSOLE environment variable. See Docker image for Security Verify Access

The audit log file for the federated runtime server can now be forwarded to remote systems. Administrators are now able forward the messages, trace and audit logs from the AAC/Federation runtime to a centralized system. See Forwarding logs to a remote syslog server.

HTTP Status Code 503 is used when returning the "Third-party server not responding" response page 38cf04d7.html. Previously HTTP Status code 500 was used. See Static server response pages.

It is now possible to export junctions and select features from web reverse proxy instances to YAML configuration documents which can be used as a starting point to configure IBM Application Gateway. See Exporting to IBM Application Gateway. See Exporting to IBM Application Gateway.

It is now possible to specify and manage a list of allowed locales for AAC and Federation template files, and a default locale to use as a fallback. See SPS Page.

The example scenario previously known as How to FIDO, which prompts a user to register a FIDO2 user-verifying platform authenticator as part of the login process, has been improved and renamed. It now leverages Reverse Proxy remember-me functionality to fetch a user’s enrolled authenticators. See Scenarios.

FIDO2 attestation validation now supports the downloading of dynamic metadata from a list of configured metadata services. See Metadata.

A new whitelisted utility class has been added to allow a specified XPath to be evaluated on an XML document or element to retrieve a node or list of nodes. See XML Mapping Rules Method.

Performance improvements have been made to the method that the SCIM application uses for caching configuration. Configuration changes now only require a runtime reload instead of a full restart.

A new Advanced Configuration entry is now added to allow an administrator to specify the Junction name to be substituted for the @JUNCTION@ macro. See Advanced configuration properties.

The MechanismRegistrationHelper has been updated to include new methods to get MMFA transactions by user or transaction ID. This enables an administrator to check the status of a transaction in a JavasScript mapping rule. The Javadoc for these new methods can be found in a Verify Access appliance under Manage System Settings > Secure Settings > File Downloads (access_control/doc/ISVA-Javadoc.zip).

The advanced access control template files have been modified to alleviate content security policy violations. See Template Files and Content Security Policy.

The default Federation template files (for example: user_consent.html) is now updated so that embedded images, styles, and scripts are now located in separate files. See Template page scripting.