Critical changes in this release

Removal of the online update service and support licenses

The Flexera/Flexnet powered IBM Security License Key and Download Center service used with IBM Security Verify Access - ISVA (and IBM Security Access Manager – ISAM) will be shut down after December 31st, 2022. Any associated license file will not be available by this service after this time. This will not have any effect on the products functionality or ability to raise a support ticket. Refer to this link for further information.

Management pages and APIs associated with the online update service and support licenses have been removed from the appliance.

New update notification service

A new update notification service is used to notify administrators about available firmware updates using the system events framework and management dashboard. When an update is available, information including a download link is presented on the System > Updates and Licensing > Firmware Updates page.

This new service requires the appliance to contact the host updates.verify.ibm.com. To make use of this service, the appliance posts several pieces of non-identifiable usage data about the appliance, including the firmware version, which offerings are activated, whether or not it is a trial version, and the platform/hypervisor it is running on.

To disable the update notification service, set the advanced tuning parameter wga_notifications.updates.enabled to false.

IBM Security Verify Access will no longer host images on Docker Hub after December 31st, 2022. All images are accessed from their new location on IBM Cloud Container Registry.

This change is a breaking change to many automated deployment pipelines, and administrators must validate and modify their container deployment routines to source these containers from their new location.

QR Code ACL and API

The Reverse Proxy MMFA wizard now attaches the unauth ACL, not the REST ACL, to the QR Code endpoint. The QR Code API was also changed to return a QR Code when either a valid authorization code is supplied, or a valid QR login session exists.

MMFA Login Wait Template

The macro @MMFA_DEVICE_NAME@ was removed from the login_wait.html template page for MMFA flows, as it was not populated by any MMFA mechanism.

A number of CiClient methods that relied on the IBM Security Verify API /v1.0/authnmethods were removed following their prior deprecation.

When response token attributes are used in an InfoMap by way of context variables, the plural namespace urn:ibm:security:asf:response:token:attributes incorrectly returns and updates a singular value. The singular namespace urn:ibm:security:asf:response:token:attribute incorrectly returns and updates a string array. The set function now accepts a string or a string array for either namespace, and correctly updates the value based on the object that was passed in. However, to prevent compatibility issues with earlier versions, the get function was not modified.

The VerifyGatewayEntry mapping rule now uses the new MechanismRegistrationHelper to retrieve MMFA registrations rather than using the SCIM API, which resulted in extra HTTP requests. For more information, see AAC IBM Security Verify Gateway.

When matching an X.509 attestation root certificate to validate a new FIDO2 attestation (registration) using metadata, the certificate used can no longer be part of the X.509 chain returned in the signed attestation. Instead, a certificate which signs the last entry of an X.509 trust chain must be present in the attestation root certificates of a FIDO2 metadata document.

An enhancement that was added in Verify Access 10.0.4 was reverted because of a performance degradation on the AAC > Access Control > Resources page. When the page is loaded, the resources were checked against the policy server to ensure that the attachment publishing was still valid. Instead, this behavior can now be enabled by setting the Advanced Tuning Parameter pop.attachments.check to true.