Critical changes in this release
This topic highlights changes that are made that might impact compatibility with an earlier version in IBM Security Verify Access version 10.0.5.
Verify Access Platform
- Legacy Web Application Firewall end of service
The legacy web application firewall capability, Web Content Protection, will reach end of service on 31st December, 2022. After this date, no further updates will be made available. Customers can continue to use the capability on an as-is basis, and support will be available for general information and existing functionality only. There will be no defect support available.
A new web application firewall based on the ModSecurity rules engine is now available, see Web Application Firewall.
-
Removal of the online update service and support licenses
The Flexera/Flexnet powered IBM Security License Key and Download Center service used with IBM Security Verify Access - ISVA (and IBM Security Access Manager – ISAM) will be shut down after December 31st, 2022. Any associated license file will not be available by this service after this time. This will not have any effect on the products functionality or ability to raise a support ticket. Refer to this link for further information.
Management pages and APIs associated with the online update service and support licenses have been removed from the appliance.
The following pages are no longer present in the management interface:The following pages are renamed in the management interface. For backwards compatibility, the URLs of these management pages and associated APIs are unchanged.- Firmware Updates is now
- Activated Modules is now
The following management APIs are no longer present:- /licenses Support licenses
- /lum/* Support license status
- /updates/history/* Update history
- /updates/overview/* Overview of licenses and updates
-
New update notification service
A new update notification service is used to notify administrators about available firmware updates using the system events framework and management dashboard. When an update is available, information including a download link is presented on the
page.This new service requires the appliance to contact the host
updates.verify.ibm.com
. To make use of this service, the appliance posts several pieces of non-identifiable usage data about the appliance, including the firmware version, which offerings are activated, whether or not it is a trial version, and the platform/hypervisor it is running on.To disable the update notification service, set the advanced tuning parameter
wga_notifications.updates.enabled
tofalse
. - IBM Security Verify Access containers will no longer be available on Docker Hub after December
31st, 2022.
IBM Security Verify Access will no longer host images on Docker Hub after December 31st, 2022. All images are accessed from their new location on IBM Cloud Container Registry.
This change is a breaking change to many automated deployment pipelines, and administrators must validate and modify their container deployment routines to source these containers from their new location.
For full information on the IBM Security Verify Access Container locations, use one of the following URLs.
Advanced Access Control (AAC)
-
QR Code ACL and API
The Reverse Proxy MMFA wizard now attaches the unauth ACL, not the REST ACL, to the QR Code endpoint. The QR Code API was also changed to return a QR Code when either a valid authorization code is supplied, or a valid QR login session exists.
-
MMFA Login Wait Template
The macro
@MMFA_DEVICE_NAME@
was removed from the login_wait.html template page for MMFA flows, as it was not populated by any MMFA mechanism. - Removed deprecated CiClient methods.
A number of CiClient methods that relied on the IBM Security Verify API /v1.0/authnmethods were removed following their prior deprecation.
The following CiClient methods were removed.- CiClient.getAuthMethods
- CiClient.getSignatureAuthMethods
- CiClient.getAuthMethod
- CiClient.enrollAuthMethod
- CiClient.updateAuthMethod
- CiClient.deleteAuthMethod
- CiClient.getValidation
- CiClient.validateOTP
- CiClient.createVerification
- CiClient.createTransientVerification
- CiClient.getVerifications
- CiClient.getVerification
- CiClient.verifyTOTP
- CiClient.verifyOTP
- CiClient.verifyTransientOTP
- Response token attributes in InfoMap
When response token attributes are used in an InfoMap by way of context variables, the plural namespace
urn:ibm:security:asf:response:token:attributes
incorrectly returns and updates a singular value. The singular namespaceurn:ibm:security:asf:response:token:attribute
incorrectly returns and updates a string array. The set function now accepts a string or a string array for either namespace, and correctly updates the value based on the object that was passed in. However, to prevent compatibility issues with earlier versions, the get function was not modified. - IBM Security Verify Gateway Integration
The
VerifyGatewayEntry
mapping rule now uses the new MechanismRegistrationHelper to retrieve MMFA registrations rather than using the SCIM API, which resulted in extra HTTP requests. For more information, see AAC IBM Security Verify Gateway. - FIDO2 metadata attestation root certificate matching
When matching an X.509 attestation root certificate to validate a new FIDO2 attestation (registration) using metadata, the certificate used can no longer be part of the X.509 chain returned in the signed attestation. Instead, a certificate which signs the last entry of an X.509 trust chain must be present in the attestation root certificates of a FIDO2 metadata document.
- Access Control Resource attachment check
An enhancement that was added in Verify Access 10.0.4 was reverted because of a performance degradation on the Advanced Tuning Parameter
page. When the page is loaded, the resources were checked against the policy server to ensure that the attachment publishing was still valid. Instead, this behavior can now be enabled by setting thepop.attachments.check
totrue
.
Federation
- Change in behavior when a
SOAPMessage
is nested within anotherSOAPMessage
.When a nested
SOAPMessage
is sent to theSecurityTokenService
, only the innerSOAPMessage
is evaluated by Federation runtime.