What's new in this release
IBM Security Verify Access provides new features and extended functions for Version 10.0.5.
Verify Access Platform
- Online updates and support licenses
The appliance now uses a new update notification service to notify administrators about available firmware updates using the Dashboard and System Events framework. The existing online update capabilities, including update scheduling and support license management, have been removed from the appliance.
- New Web Application Firewall capability that uses ModSecurity
The Reverse Proxy can now be configured to process requests by using the ModSecurity rules processing engine. The appliance also includes an embedded copy of the OWASP ModSecurity Core Rule Set. For more information about the new web application firewall capabilities, see Web Application Firewall.
- IBM Security Verify Access containers are no
longer be available on Docker Hub after 31 December 2022.
IBM Security Verify Access no longer hosts images on Docker Hub after 31 December 2022. All images are accessed from their new location on IBM Cloud® Container Registry.
This change is a breaking change to many automated deployment pipelines, and administrators must validate and modify their container deployment routines to source these containers from their new location.
For full information on the IBM Security Verify Access Container locations, use one of the following URLs. - Multi-JDK support for PD.jar
The Policy Directory Java™ library (PD.jar) has been updated to support both IBM® Java 1.8 and OpenJDK 11. Previously, administrators were required to use the legacy version of PD.jar for versions of Java lower than 11. Now administrators are no longer required to move to Java 11 to use the latest version of PD.jar. For more information about using PD.jar to retrieve information from the runtime user registry/policy server, see the Administration Java classes overview.
- SafeNet Luna High Availability (HA) support
Support for SafeNet hagroup configurations was added to Verify Access. Administrators who install the SafeNet HSM Extension from IBM App-Exchange can group one or more SafeNet devices into an HA group. For more information about configuring HSM devices, see Configuring network Hardware Security Module (HSM).
Advanced Access Control (AAC)
- AAC Authentication Policy JSON API
A new API was added to the Local Management Interface (LMI) that represents AAC Authentication policies as JSON. Previously, the policy itself was represented solely as XML. For more information about the API and usage examples, see the WebServices documentation that is available from the appliance LMI. Apply the filter “Full JSON API” to show the appropriate pages for the new API.
- AAC Access Control Policy JSON API
A new API was added to the Local Management Interface(LMI) that represents AAC Access Control policies as JSON. Previously the policy itself was represented solely as XACML 2.0. For more information and usage examples, see the WebServices documentation that is available from the appliance LMI. Apply the filter “Full JSON API” to show the appropriate pages for the new API.
- SCIM User Password schema
It is now possible for a user to change their password by using the SCIM API without the need for a two-phase update process. See User password change and recovery.
- Identifier First Authentication Scenario
A new scenario is now available in the Example Branching Policy Scenarios wizard, called Identifier First Authentication. This scenario initially prompts the user only for their username. The user is then able to choose between FIDO2/WebAuthn authentication, MMFA authentication, or standard username and password authentication. For more information, see Scenarios.
- FIDO2 Mediation
In the FIDO2 custom mediator, two new properties can be accessed from the registration object
backupEligibility
andbackupState
. Both relate to the backup of the public key credential source of a registration. For more information, see FIDO2 Mediation. - JavaScript Whitelisted Classes
In the available JavaScript classes, two new methods are available in the following two classes
com.tivoli.am.fim.registrations.local.FIDORegistration
andcom.tivoli.am.fim.fido.mediation.FIDO2Registration
. They both now provide getter methods forbackupEligibility
andbackupState
. For more information, see JavaScript whitelist. - Template Files
In the management of template files, directories can now be created at the root level. For more information, see Managing template files.